macforge.org via https?
Kevin Van Vechten
kvv at apple.com
Wed Jan 2 12:45:53 PST 2008
On Jan 2, 2008, at 12:37 PM, Landon Fuller wrote:
>>> - Digest authentication is indistinguishable from Basic
>>> authentication -- your browser will display the same dialog
>>> regardless of the authentication type.
>>
>> Safari distinguishes them; Basic authentication dialogs say the
>> password will be sent in the clear.
>
> Currently, trying to access http://www.macosforge.org/wp-login.php
> in Safari says the following:
> "Your password will be sent in the clear."
Oh right, ironically Safari has a bug in that message is displayed
even for digest authentication (it is not intended to be).
> Firefox doesn't show any difference in the auth dialog -- I'd easily
> login using the basic auth. Also, does Safari refuse to auto-login
> if the authentication type changes?
Unknown. The RFC suggests that it should. =)
>>> At best, it will prevent a passive attacker from acquiring your
>>> password. Anyone engaging in an active MITM attack will have no
>>> difficultly acquiring your password.
>>
>> I agree SSL provides additional security benefits, but digest
>> authentication isn't as transparent as you indicate.
>
> I still hold that it is -- digest auth makes passive sniffing
> useless, but it doesn't prevent an active attack from acquiring your
> password, especially if you're using a browser that fails to
> differentiate between digest and basic auth.
We're probably talking past each other, and I'm probably splitting
hairs. I disagree that the MITM can "acquire your password" but I
agree that a MITM could "masquerade as you."
- Kevin
More information about the macports-dev
mailing list