|
Nicolas Lehuen
nicolas at lehuen.com
Wed Apr 26 14:24:55 EDT 2006
2006/4/26, Dan Eloff <dan.eloff at gmail.com>: > > > Digest auth protects your password very well (it's not sent over the > network at all). It does not > > protect the contents or URL or any other part of the request like SSL > does. It is very hard to > > calculate a password based on its MD5 hash alone. > > Yes, it protects the password perfectly. But that just stops a person > from using your username and password to login with. It's remarkably > easy to just send the username and digest and gain access to all the > same things. Most people who would have the skills to glean your > username/password from the communications would know how to do this. > So it only offers the illusion of security. > > -Dan > There is a double nonce system used to "salt" the MD5 and prevent replays. See http://en.wikipedia.org/wiki/Digest_access_authentication And the RFC, of course. I'm no security expert, but judging from the protocol, it seems that digest auth is pretty safe and well thought - except that it doesn't hide the rest of the HTTP headers and that MD5 has shown serious weaknesses. Regards, Nicolas -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mm_cfg_has_not_been_edited_to_set_host_domains/pipermail/mod_python/attachments/20060426/0e8ce9ea/attachment.html
|