W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1995

Re: potential security holes in digest authorization

From: Dave Kristol <dmk@allegra.att.com>
Date: Mon, 17 Jul 95 11:29:31 EDT
Message-Id: <199507171647.AA197789629@hplb.hpl.hp.com>
To: john@math.nwu.edu
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
John Franks <john@math.nwu.edu> said:
  [regarding my proposal to embed hostname in the password file line]
  > This would mean that only one hostname could be used in the URL.  I.e.
  > even though host.com and www.host.com are the same host, one of the URLs
  > 
  > 	http://host.com/secret.doc
  > and
  > 	http://www.host.com/secret.doc
  > 
  > would have to fail even when the user supplied a valid username/password.
  > This would be a serious flaw.

I disagree with the premise.  I wouldn't encode the domain name that
the user accessed to reach my server.  I would encode the name that the
server uses for itself, for example the name set by NCSA HTTPD
ServerName directive.
  > 
  > Keep in mind that the realm can be any (reasonable sized) string supplied by
  > the server maintainer.  Thus choosing a realm like
  > 
  > 	myrealm@www.myplace.com
  > 
  > is probably a good idea.  This would prevent another server maintainer
  > accidentally choosing the same realm.  If another server maintainer 
  > maliciously chooses the same realm, at least that fact is displayed
  > to the client each time access is requested.  If you connect to 
  > www.myplace.com and see a realm with somewhere.else.com in it you 
  > should be very suspicious.

Thank you for motivating my second quibble, namely:  I want to be able
to specify a (user/password) prompt independent of the realm.  I don't
think much of a realm named "myrealm@www.myplace.com", but maybe I'm
perverse.  I prefer
	Enter username for [prompt that I specify] at www.research.att.com:
to
	Enter username for myrealm@www.myplace.com at www.myplace.com

Evidently (sigh) I'm the only person in the world who feels this way.

Dave Kristol
Received on Monday, 17 July 1995 09:48:58 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:23 EDT