Re: potential security holes in digest authorization
John Franks (john@math.nwu.edu)
Mon, 17 Jul 1995 10:12:16 -0500 (CDT)
According to Chuck Shotton:
>
> According to Kristol:
> >Fair enough. How about using the server-name in place of realm, then?
> >(After all, it's possible two webmasters might choose the same realm
> >name on different servers, isn't it!) That would render the same
> >username/password combination unique on different machines. So the
> >stored hash would be:
> > H(<username> : <server-domain-name> : <password>)
>
> This isn't any better, given that one user may have multiple occurences of
> the same name and password for different realms. (It happens!) The best
> would be a combination of host domain name and realm name.
>
This would mean that only one hostname could be used in the URL. I.e.
even though host.com and www.host.com are the same host, one of the URLs
http://host.com/secret.doc
and
http://www.host.com/secret.doc
would have to fail even when the user supplied a valid username/password.
This would be a serious flaw.
Keep in mind that the realm can be any (reasonable sized) string supplied by
the server maintainer. Thus choosing a realm like
myrealm@www.myplace.com
is probably a good idea. This would prevent another server maintainer
accidentally choosing the same realm. If another server maintainer
maliciously chooses the same realm, at least that fact is displayed
to the client each time access is requested. If you connect to
www.myplace.com and see a realm with somewhere.else.com in it you
should be very suspicious.
John Franks