Re: Digest Authentication, Netscape, and Microsoft

Daniel DuBois (dan@spyglass.com)
Tue, 15 Apr 1997 22:10:15 GMT

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Hallam-Baker: "Re: Digest Authentication, Netscape, and Microsoft"
Previous message: Henry Sanders: "RE: mid-course errors"
In reply to: nemo/Joel N. Weber II: "Re: Digest Authentication, Netscape, and Microsoft"
Next in thread: Hallam-Baker: "Re: Digest Authentication, Netscape, and Microsoft"
Reply: Hallam-Baker: "Re: Digest Authentication, Netscape, and Microsoft"

On Tue, 15 Apr 1997 17:47:03 -0400 (EDT), "nemo/Joel N. Weber II"
<devnull@gnu.ai.mit.edu> wrote:
>   Except that SSL is rather heavy weight performance wise and hence may=
 be
>   overkill where the real objective is reasonably reliable =
identification of
>   a user w/o compromising their password data.
>
>I still don't quite see this.
>Because if I can watch someone's packets fly across a network segment,
>can't I take over their connection after it has been established?
>Obviously, for me to read the password, I have to know what I'm doing.
>So hijacking a connection would not be much harder.  (Especially

With Digest Authentication, hijacking a connection will not allow you to
make subsequent requests over that connection (of different URLs) without
knowledge of the shared secret (aka password).  There's an MD5 hash of =
the
URL, the password, and some other data.

-----
Daniel DuBois, Traveling Coderman        www.spyglass.com/~ddubois
   "The problem with political jokes is that they get elected."

Next message: Hallam-Baker: "Re: Digest Authentication, Netscape, and Microsoft"
Previous message: Henry Sanders: "RE: mid-course errors"
In reply to: nemo/Joel N. Weber II: "Re: Digest Authentication, Netscape, and Microsoft"
Next in thread: Hallam-Baker: "Re: Digest Authentication, Netscape, and Microsoft"
Reply: Hallam-Baker: "Re: Digest Authentication, Netscape, and Microsoft"