Paul writes: > Both Basic and Digest authentication are vulnerable to "man in the > middle" attacks, for example, from a hostile or compromised proxy. > Clearly, this would present all the problems of eavesdropping. But > it could also offer some additional threats. This isn't quite right. Digest authentication is not vulnerable to a man in the middle attack as described. Digest is vulnerable to a downgrade attack where a client supports BASIC and BASIC is vulnerable to man in the middle. If a client does not support Digest the vulnerability to password snooping goes away beacuse a client will not divulge the password under any circumstances. Its a picky point but an important one. PhillReceived on Monday, 10 June 1996 17:48:52 UTC
This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 14:40:17 UTC