Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 97171 invoked from network); 5 Sep 2010 00:16:42 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 5 Sep 2010 00:16:42 -0000 Received: (qmail 20632 invoked by uid 500); 5 Sep 2010 00:16:39 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 20541 invoked by uid 500); 5 Sep 2010 00:16:38 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 20532 invoked by uid 99); 5 Sep 2010 00:16:38 -0000 Received: from Unknown (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 05 Sep 2010 00:16:38 +0000 X-ASF-Spam-Status: No, hits=2.2 required=10.0 tests=FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of mgainty@hotmail.com designates 65.55.111.86 as permitted sender) Received: from [65.55.111.86] (HELO blu0-omc2-s11.blu0.hotmail.com) (65.55.111.86) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 05 Sep 2010 00:16:13 +0000 Received: from BLU142-W31 ([65.55.111.73]) by blu0-omc2-s11.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Sat, 4 Sep 2010 17:15:52 -0700 Message-ID: Content-Type: multipart/alternative; boundary="_49de0fc1-dd90-47af-96a9-f5583f5519ae_" X-Originating-IP: [76.119.47.30] From: Martin Gainty To: Tomcat Users List Subject: RE: interaction between .forward() and Date: Sat, 4 Sep 2010 20:15:51 -0400 Importance: Normal In-Reply-To: <4C82D507.1040701@apache.org> References: <4C82034B.2070306@googlemail.com> <99C8B2929B39C24493377AC7A121E21F99C16494CC@USEA-EXCH8.na.uis.unisys.com> <4C826847.8050100@googlemail.com> <4C827363.1030605@ice-sa.com>,<4C82D507.1040701@apache.org> MIME-Version: 1.0 X-OriginalArrivalTime: 05 Sep 2010 00:15:52.0070 (UTC) FILETIME=[7FF09A60:01CB4C8F] X-Virus-Checked: Checked by ClamAV on apache.org --_49de0fc1-dd90-47af-96a9-f5583f5519ae_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable far easier to implement than HTTPS what can MIM access with just the session-id? is this comparison DIGEST vs HTTPS documented Martin ______________________________________________=20 Verzicht und Vertraulichkeitanmerkung/Note de d=E9ni et de confidentialit= =E9 Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaeng= er sein=2C so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiter= leitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient l= ediglich dem Austausch von Informationen und entfaltet keine rechtliche Bin= dungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen w= ir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut =EAtre privil=E9gi=E9. Si vous n'=EAtes= pas le destinataire pr=E9vu=2C nous te demandons avec bont=E9 que pour sat= isfaire informez l'exp=E9diteur. N'importe quelle diffusion non autoris=E9e= ou la copie de ceci est interdite. Ce message sert =E0 l'information seule= ment et n'aura pas n'importe quel effet l=E9galement obligatoire. =C9tant d= onn=E9 que les email peuvent facilement =EAtre sujets =E0 la manipulation= =2C nous ne pouvons accepter aucune responsabilit=E9 pour le contenu fourni= . =20 > Date: Sun=2C 5 Sep 2010 00:23:51 +0100 > From: markt@apache.org > To: users@tomcat.apache.org > Subject: Re: interaction between .forward() and >=20 > On 04/09/2010 17:27=2C Andr=E9 Warnier wrote: > > Digest authentication is not very popular=2C and rather a pain to > > implement yourself. > > The reason why it is not very popular is that it is a bit of a halfway > > solution : it does avoid user passwords to be transmitted in clear over > > the net=2C but it is not safe for man-in-the-middle attacks (someone ca= n > > record the digest=2C and use it to authenticate later as that user). >=20 > No they can't. DIGEST is secure against such an attack. Any session ID=2C > however=2C will be vulnerable. >=20 > > And > > it still leaves the subsequent conversation unencrypted. >=20 > True. >=20 > > If you really need security=2C then you should run your entire site und= er > > HTTPS. >=20 > It depends on what you are trying to protect. Generally=2C this is true > but there will be edge cases where DIGEST is sufficient. >=20 > Mark >=20 >=20 >=20 > --------------------------------------------------------------------- > To unsubscribe=2C e-mail: users-unsubscribe@tomcat.apache.org > For additional commands=2C e-mail: users-help@tomcat.apache.org >=20 = --_49de0fc1-dd90-47af-96a9-f5583f5519ae_--