W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1997

Re: Digest Authentication, Netscape, and Microsoft

From: Daniel DuBois <dan@spyglass.com>
Date: Tue, 15 Apr 1997 22:10:15 GMT
To: "nemo/Joel N. Weber II" <devnull@gnu.ai.mit.edu>
Cc: http-wg@cuckoo.hpl.hp.com
Message-Id: <3354fbba.4377905@spyglass.com>
On Tue, 15 Apr 1997 17:47:03 -0400 (EDT), "nemo/Joel N. Weber II"
<devnull@gnu.ai.mit.edu> wrote:
>   Except that SSL is rather heavy weight performance wise and hence may be
>   overkill where the real objective is reasonably reliable identification of
>   a user w/o compromising their password data.
>
>I still don't quite see this.
>Because if I can watch someone's packets fly across a network segment,
>can't I take over their connection after it has been established?
>Obviously, for me to read the password, I have to know what I'm doing.
>So hijacking a connection would not be much harder.  (Especially

With Digest Authentication, hijacking a connection will not allow you to
make subsequent requests over that connection (of different URLs) without
knowledge of the shared secret (aka password).  There's an MD5 hash of the
URL, the password, and some other data.

-----
Daniel DuBois, Traveling Coderman        www.spyglass.com/~ddubois
   "The problem with political jokes is that they get elected."
Received on Tuesday, 15 April 1997 15:15:23 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:34 EDT