[mod_python] Authentication and security in general

Nicolas Lehuen nicolas at lehuen.com
Wed Apr 26 14:24:55 EDT 2006

2006/4/26, Dan Eloff <dan.eloff at gmail.com>:
> > Digest auth protects your password very well (it's not sent over the
> network at all). It does not
> > protect the contents or URL or any other part of the request like SSL
> does. It is very hard to
> > calculate a password based on its MD5 hash alone.
> Yes, it protects the password perfectly. But that just stops a person
> from using your username and password to login with. It's remarkably
> easy to just send the username and digest and gain access to all the
> same things. Most people who would have the skills to glean your
> username/password from the communications would know how to do this.
> So it only offers the illusion of security.
> -Dan

There is a double nonce system used to "salt" the MD5 and prevent replays.


And the RFC, of course.

I'm no security expert, but judging from the protocol, it seems that digest
auth is pretty safe and well thought - except that it doesn't hide the rest
of the HTTP headers and that MD5 has shown serious weaknesses.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mm_cfg_has_not_been_edited_to_set_host_domains/pipermail/mod_python/attachments/20060426/0e8ce9ea/attachment.html

More information about the Mod_python mailing list