httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <...@algroup.co.uk>
Subject Re: Digest auth - no nonce/replay checking
Date Wed, 17 Dec 2003 13:07:35 GMT
Dirk-Willem van Gulik wrote:

> Unless I missed something we nicely issue a nonce during digest auth
> (based on r->request_time) - but when the reply comes in with an
> (Proxy-)Authenticate header we use the nonce provided by the client; and
> do not check if it was any where near reasonably likely that we issued it.
> 
> So I guess
> 
> ->	The release notes and the digest docs should
> 	propably contain a warning that we are not
> 	hardnened against certain replay attacks.
> 
> ->	Long term we propably want to solve this; e.g.
> 	by using a hash over a static secret or somethign.

I distinctly remember discussing this at the time - guess I didn't have 
the energy to fix it then :-)

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

Mime
View raw message