W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1996

Re: Final Review of Digest Authentication

From: <hallam@etna.ai.mit.edu>
Date: Mon, 10 Jun 96 20:49:17 -0400
Message-Id: <9606110049.AA07555@Etna.ai.mit.edu>
To: Paul Leach <paulle@microsoft.com>, www-security@ns2.rutgers.edu, "'http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com'" <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>, 'John Franks' <john@math.nwu.edu>
Cc: hallam@etna.ai.mit.edu 

Paul writes:

>  Both Basic and Digest authentication are vulnerable to "man in the
>  middle" attacks, for example, from a hostile or compromised proxy.
>  Clearly, this would present all the problems of eavesdropping.  But
>  it could also offer some additional threats.

This isn't quite right. Digest authentication is not vulnerable
to a man in the middle attack as described. Digest is vulnerable to
a downgrade attack where a client supports BASIC and BASIC is
vulnerable to man in the middle.

If a client does not support Digest the vulnerability to password 
snooping goes away beacuse a client will not divulge the password under
any circumstances.

Its a picky point but an important one.

	Phill
Received on Monday, 10 June 1996 17:48:52 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:03 EDT