W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1995

Re: More KeyedDigest... Re: another Digest Access Authentication question

From: Owen Rees <rtor@ansa.co.uk>
Date: Mon, 20 Mar 1995 17:35:34 +0000
Message-Id: <9503201735.AA20938@plato.ansa.co.uk>
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
"Phillip M. Hallam-Baker" <hallam@dxal18.cern.ch> writes:
> The problem is not just that the information is passed en-clair. Mallet
> is able to bypass the authentication system so that he has greater
> access than that of a pure passive lisner.

Mallet may have been able to fool Alice into accessing her email on Bob's 
server, thus making it visible to anyone watching the traffic between Alice 
and Bob, but it is not clear that Mallet can do more than this unless there is 
some problem hidden in the words "uri sans proxy/routing" which lets Mallet 
fool Alice into using him as a proxy to Bob.

To put himself in the access path, the problem for Mallet is to construct a 
URI which causes Alice to send the request to Mallet with a digest that 
contains a requested URI that Bob will honour. It is not clear how Mallet can 
do this unless Alice is happy to adopt an arbitrary proxy.

Regards,
  Owen Rees <rtor@ansa.co.uk>
Information about ANSA is at <URL:http://www.ansa.co.uk/>.
Received on Monday, 20 March 1995 09:46:11 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:14 EDT