[mod_python] Authentication and security in general

Nicolas Lehuen nicolas at lehuen.com
Wed Apr 26 14:24:55 EDT 2006


2006/4/26, Dan Eloff <dan.eloff at gmail.com>:
>
> > Digest auth protects your password very well (it's not sent over the
> network at all). It does not
> > protect the contents or URL or any other part of the request like SSL
> does. It is very hard to
> > calculate a password based on its MD5 hash alone.
>
> Yes, it protects the password perfectly. But that just stops a person
> from using your username and password to login with. It's remarkably
> easy to just send the username and digest and gain access to all the
> same things. Most people who would have the skills to glean your
> username/password from the communications would know how to do this.
> So it only offers the illusion of security.
>
> -Dan
>

There is a double nonce system used to "salt" the MD5 and prevent replays.
See

http://en.wikipedia.org/wiki/Digest_access_authentication

And the RFC, of course.

I'm no security expert, but judging from the protocol, it seems that digest
auth is pretty safe and well thought - except that it doesn't hide the rest
of the HTTP headers and that MD5 has shown serious weaknesses.

Regards,
Nicolas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mm_cfg_has_not_been_edited_to_set_host_domains/pipermail/mod_python/attachments/20060426/0e8ce9ea/attachment.html


More information about the Mod_python mailing list