W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1995

Re: potential security holes in digest authorization

From: John Franks <john@math.nwu.edu>
Date: Mon, 17 Jul 1995 10:12:16 -0500 (CDT)
Message-Id: <199507171512.KAA04166@hopf.math.nwu.edu>
To: Chuck Shotton <cshotton@biap.com>
Cc: dmk@allegra.att.com, john@math.nwu.edu, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
According to Chuck Shotton:
> 
> According to Kristol:
> >Fair enough.  How about using the server-name in place of realm, then?
> >(After all, it's possible two webmasters might choose the same realm
> >name on different servers, isn't it!) That would render the same
> >username/password combination unique on different machines.  So the
> >stored hash would be:
> >        H(<username> : <server-domain-name> : <password>)
> 
> This isn't any better, given that one user may have multiple occurences of
> the same name and password for different realms. (It happens!) The best
> would be a combination of host domain name and realm name.
> 

This would mean that only one hostname could be used in the URL.  I.e.
even though host.com and www.host.com are the same host, one of the URLs

	http://host.com/secret.doc
and
	http://www.host.com/secret.doc

would have to fail even when the user supplied a valid username/password.
This would be a serious flaw.

Keep in mind that the realm can be any (reasonable sized) string supplied by
the server maintainer.  Thus choosing a realm like

	myrealm@www.myplace.com

is probably a good idea.  This would prevent another server maintainer
accidentally choosing the same realm.  If another server maintainer 
maliciously chooses the same realm, at least that fact is displayed
to the client each time access is requested.  If you connect to 
www.myplace.com and see a realm with somewhere.else.com in it you 
should be very suspicious.

John Franks
Received on Monday, 17 July 1995 08:14:20 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:23 EDT