httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Paul Querna" <c...@cyan.com>
Subject Re: [PATCH] mod_auth_digest.c -- EnableQueryStringHack
Date Mon, 09 Jun 2003 03:49:23 GMT
On Mon, 9 Jun 2003 04:07:02 +0200, André Malo wrote
> Just my opinion: I don't like it very much, since it decreases 
> security and violates the RFC very hard. The Client should be fixed, 
> not the server. ....but I won't stand in the way if there are 
> positive votes on it.

The security is only lessoned when:
1) The Initial URI compare fails (so if IE fixes this in the future, it
wouldn't even hit this code)
2) a BrowserMatch is made (in my patch)

The Changes allow a URI to match even if the Query string does not.  It still
checks all other elements of the URI.  This is a *very* small price to pay
when you condier the only other option is to use Basic Authentication.(clear
text passwords... etc.)  

Microsoft seems to have little motivation to fix their implmentation, but in
the meantime digest authentication is rendered mostly useless.  Yes, if you
can control the client side it is a non-issue, but the fact of life is that
the majority of the people on the internet do use Internet Explorer.

I think putting somthing like this patch in is the better of two evils. It
would allow a widerspread use of digest authentication over basic auth, but
yes it would be slightly less secure than the full implmentation of digest for
users of Microsoft's buggy IE.  However I think this change is very valuable
for many sites that would like to use a more secure authentication system
without trying todo everything over HTTPS.

Seriously.  How much difference will a slightly mismatched URI matter when you
consider how a digest auth is done?

I think the security implications are well worth the cost to even allow IE
clients to use digest authentication.  Otherwise Digest will never see
widespread use. ever.

-chip

Mime
View raw message