Re: Digest mess

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Scott Lawrence: "Re: Digest mess"
• Previous message: Ben Laurie: "Re: Digest mess"
• In reply to: Ben Laurie: "Re: Digest mess"
• Next in thread: Scott Lawrence: "Re: Digest mess"

On Tue, 6 Jan 1998, Ben Laurie wrote:

> 
> The Apache implementation is already marked as not suitable for serious
> use, because of the server's vulnerability to a replay. 

I don't understand.  The Apache implementation only authenicates a client
to the server.  This works.  There is no possibility of replay unless
the server re-uses nonces (which I can't believe any implementation
would do).

Going the other direction, the base digest mechanism (as implemented
in Apache) does not authenticate a server to a client.  It is just
like Basic in that respect.  Since there is no authentication there
can be no attack, replay or otherwise.  

The base digest authentication is a replacement for Basic, but without
passwords in the clear.  Apache presumably does that fine.  This is a
"serious use".  There are, of course, other "serious uses" which it
does not implement and this will always be the case.

> 
> Actually, if we could insist that the digest authed request was in the
> same keptalive session as the original request, that'd help a lot...
> 

Why?  Are you saying that once Apache has received valid credentials
for one request it allows access for (some) other requests in the same
keep-alive session which don't have credentials?  Surely, that can't
be true.

Maybe I don't understand what you are saying.

John Franks
john@math.nwu.edu

• Next message: Scott Lawrence: "Re: Digest mess"
• Previous message: Ben Laurie: "Re: Digest mess"
• In reply to: Ben Laurie: "Re: Digest mess"
• Next in thread: Scott Lawrence: "Re: Digest mess"