Re: More KeyedDigest... Re: another Digest Access Authentication

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Hulten, W.M. van: "Q: HTTP/1.0 being "...stateless, object-"
• Previous message: Gavin Nicol: "Re: proposal for a new html tag"
• In reply to: Phillip M. Hallam-Baker: "Re: More KeyedDigest... Re: another Digest Access Authentication question"
• Next in thread: Eric W. Sink: "Re: another Digest Access Authentication question"

"Phillip M. Hallam-Baker" <hallam@dxal18.cern.ch> writes:
> The problem is not just that the information is passed en-clair. Mallet
> is able to bypass the authentication system so that he has greater
> access than that of a pure passive lisner.

Mallet may have been able to fool Alice into accessing her email on Bob's 
server, thus making it visible to anyone watching the traffic between Alice 
and Bob, but it is not clear that Mallet can do more than this unless there is 
some problem hidden in the words "uri sans proxy/routing" which lets Mallet 
fool Alice into using him as a proxy to Bob.

To put himself in the access path, the problem for Mallet is to construct a 
URI which causes Alice to send the request to Mallet with a digest that 
contains a requested URI that Bob will honour. It is not clear how Mallet can 
do this unless Alice is happy to adopt an arbitrary proxy.

Regards,
  Owen Rees <rtor@ansa.co.uk>
Information about ANSA is at <URL:http://www.ansa.co.uk/>.

• Next message: Hulten, W.M. van: "Q: HTTP/1.0 being "...stateless, object-"
• Previous message: Gavin Nicol: "Re: proposal for a new html tag"
• In reply to: Phillip M. Hallam-Baker: "Re: More KeyedDigest... Re: another Digest Access Authentication question"
• Next in thread: Eric W. Sink: "Re: another Digest Access Authentication question"