[mod_python] Authentication and security in general

Dan Eloff dan.eloff at gmail.com
Wed Apr 26 19:28:37 EDT 2006


You're right. I read this in the apache docs:

"Next, with regard to security considerations, you should understand
two things. Although your password is not passed in the clear, all of
your data is, and so this is a rather small measure of security. And,
although your password is not really sent at all, but a digest form of
it, someone very familiar with the workings of HTTP could use that
information - just your digested password - and use that to gain
access to the content, since that digested password is really all the
information required to access the web site."

But it was for version 1.3, so maybe it's dated or just plain
incorrect. It looks pretty secure anyway.

But of course the best is still SSL/TLS

-Dan

On 4/26/06, Nicolas Lehuen <nicolas at lehuen.com> wrote:
> 2006/4/26, Dan Eloff <dan.eloff at gmail.com>:
>
> > > Digest auth protects your password very well (it's not sent over the
> network at all). It does not
> > > protect the contents or URL or any other part of the request like SSL
> does. It is very hard to
> > > calculate a password based on its MD5 hash alone.
> >
> > Yes, it protects the password perfectly. But that just stops a person
> > from using your username and password to login with. It's remarkably
> > easy to just send the username and digest and gain access to all the
> > same things. Most people who would have the skills to glean your
> > username/password from the communications would know how to do this.
> > So it only offers the illusion of security.
> >
> > -Dan
> >
>
> There is a double nonce system used to "salt" the MD5 and prevent replays.
> See
>
>  http://en.wikipedia.org/wiki/Digest_access_authentication
>
>  And the RFC, of course.
>
> I'm no security expert, but judging from the protocol, it seems that digest
> auth is pretty safe and well thought - except that it doesn't hide the rest
> of the HTTP headers and that MD5 has shown serious weaknesses.
>
> Regards,
>  Nicolas
>



More information about the Mod_python mailing list