macforge.org via https?
Landon Fuller
landonf at macports.org
Mon Dec 31 15:26:39 PST 2007
On Dec 25, 2007, at 8:44 AM, Juan Manuel Palacios wrote:
>
> On Dec 25, 2007, at 8:51 AM, js wrote:
>
>> Forwarding to macports developers.
>>
>>
>> ---------- Forwarded message ----------
>> From: js <ebgssth at gmail.com>
>> Date: Dec 25, 2007 12:19 AM
>> Subject: macforge.org via https?
>> To: MacPorts Users <macports-users at lists.macosforge.org>
>>
>>
>> Hi list,
>>
>> A simple question.
>>
>> is there any reason http://www.macosforge.org/wp-login.php is not
>> HTTPS?
>
>
> Because we use http digest for authentication, not SSL.
But HTTP digest doesn't solve any of the problems that SSL solves:
- It is still vulnerable to a MITM attack. Your password is hashed,
but the hash is password-equivalent -- an attacker can simply forward
it on.
- Digest authentication is indistinguishable from Basic
authentication -- your browser will display the same dialog regardless
of the authentication type.
At best, it will prevent a passive attacker from acquiring your
password. Anyone engaging in an active MITM attack will have no
difficultly acquiring your password.
-landonf
More information about the macports-dev
mailing list