Re: Digest mess

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Scott Lawrence: "Re: Digest mess"
• Previous message: John Franks: "Re: Digest mess"
• In reply to: Ben Laurie: "Re: Digest mess"

>>>>> "BL" == Ben Laurie <ben@algroup.co.uk> writes:

BL> The Apache implementation is already marked as not suitable for serious
BL> use, because of the server's vulnerability to a replay. I'm not sure how
BL> to avoid this, except, perhaps, by tying the nonce to the (rough) time
BL> and the URL. Of course, a client nonce doesn't help with this at all,

  I don't believe that I understand this comment - if the server
  always generates an unique nonce how is it vulnerable to a replay?
  Granted, if it doesn't then it has a problem...

BL> Actually, if we could insist that the digest authed request was in the
BL> same keptalive session as the original request, that'd help a lot...

  TCP connections can be hijacked - it doesn't help.

--
Scott Lawrence           EmWeb Embedded Server       <lawrence@agranat.com>
Agranat Systems, Inc.        Engineering            http://www.agranat.com/

• Next message: Scott Lawrence: "Re: Digest mess"
• Previous message: John Franks: "Re: Digest mess"
• In reply to: Ben Laurie: "Re: Digest mess"