macforge.org via https?
Kevin Van Vechten
kvv at apple.com
Wed Jan 2 10:40:51 PST 2008
On Dec 31, 2007, at 3:26 PM, Landon Fuller wrote:
> But HTTP digest doesn't solve any of the problems that SSL solves:
> - It is still vulnerable to a MITM attack. Your password is hashed,
> but the hash is password-equivalent -- an attacker can simply
> forward it on.
Not really... the server sends a random nonce-value, and the client
must include that in the hashed-response. Replay is not an issue.
response = MD5(MD5(username : realm : password), nonce, MD5(method :
uri))
http://rfc.net/rfc2069.html
> - Digest authentication is indistinguishable from Basic
> authentication -- your browser will display the same dialog
> regardless of the authentication type.
Safari distinguishes them; Basic authentication dialogs say the
password will be sent in the clear.
> At best, it will prevent a passive attacker from acquiring your
> password. Anyone engaging in an active MITM attack will have no
> difficultly acquiring your password.
I agree SSL provides additional security benefits, but digest
authentication isn't as transparent as you indicate.
- Kevin
More information about the macports-dev
mailing list