httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <>
Subject Re: Digest auth - no nonce/replay checking
Date Wed, 17 Dec 2003 13:07:35 GMT
Dirk-Willem van Gulik wrote:

> Unless I missed something we nicely issue a nonce during digest auth
> (based on r->request_time) - but when the reply comes in with an
> (Proxy-)Authenticate header we use the nonce provided by the client; and
> do not check if it was any where near reasonably likely that we issued it.
> So I guess
> ->	The release notes and the digest docs should
> 	propably contain a warning that we are not
> 	hardnened against certain replay attacks.
> ->	Long term we propably want to solve this; e.g.
> 	by using a hash over a static secret or somethign.

I distinctly remember discussing this at the time - guess I didn't have 
the energy to fix it then :-)




"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

View raw message