Re: potential security holes in digest authorization
Dave Kristol (dmk@allegra.att.com)
Mon, 17 Jul 95 11:29:31 EDT
John Franks <john@math.nwu.edu> said:
[regarding my proposal to embed hostname in the password file line]
> This would mean that only one hostname could be used in the URL. I.e.
> even though host.com and www.host.com are the same host, one of the URLs
>
> http://host.com/secret.doc
> and
> http://www.host.com/secret.doc
>
> would have to fail even when the user supplied a valid username/password.
> This would be a serious flaw.
I disagree with the premise. I wouldn't encode the domain name that
the user accessed to reach my server. I would encode the name that the
server uses for itself, for example the name set by NCSA HTTPD
ServerName directive.
>
> Keep in mind that the realm can be any (reasonable sized) string supplied by
> the server maintainer. Thus choosing a realm like
>
> myrealm@www.myplace.com
>
> is probably a good idea. This would prevent another server maintainer
> accidentally choosing the same realm. If another server maintainer
> maliciously chooses the same realm, at least that fact is displayed
> to the client each time access is requested. If you connect to
> www.myplace.com and see a realm with somewhere.else.com in it you
> should be very suspicious.
Thank you for motivating my second quibble, namely: I want to be able
to specify a (user/password) prompt independent of the realm. I don't
think much of a realm named "myrealm@www.myplace.com", but maybe I'm
perverse. I prefer
Enter username for [prompt that I specify] at www.research.att.com:
to
Enter username for myrealm@www.myplace.com at www.myplace.com
Evidently (sigh) I'm the only person in the world who feels this way.
Dave Kristol