W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1997

Re: Digest mess

From: John Franks <john@math.nwu.edu>
Date: Wed, 17 Dec 1997 07:52:55 -0600 (CST)
To: "John C. Mallery" <jcma@ai.mit.edu>
Cc: "Phillip M. Hallam-Baker" <hallam@ai.mit.edu>, rlgray@us.ibm.com, HTTP Working Group <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>
Message-Id: <Pine.LNX.3.95.971217073425.5498A-100000@hopf.math.nwu.edu>
X-Mailing-List: <http-wg@cuckoo.hpl.hp.com> archive/latest/4989
On Wed, 17 Dec 1997, John C. Mallery wrote:

> Yea, and now Internet Explorer 4.0 has broken their digest implementation
> form 3.0. Of course, netscape doesn't do digests.
> Of course, digests never authenticated the transaction and return codes,
> leaving them vulnerable to man-in-the-middle attacks.
> Quite the mess.
> A couple of simple fixes and this would be very useful.
> What gives?
Did you read the spec?

       The Digest Access Authentication scheme is not intended to be a complete
       answer to the need for security in the World Wide Web. This scheme
       provides no encryption of object content. The intent is simply to create
       a weak access authentication method, which avoids the most serious flaws
       of Basic authentication.

The design objectives of digest were 1) replace the clear text passwords
of Basic, 2) no patent or export restrictions, i.e. NO ENCRYPTION.

It is not fair to criticize a bicycle because it does a rotten job
as a school bus.  If you want to keep Basic forever, so be it. But
Basic is currently used at least an order of magnitude more than 
any other authentication or security system.  This will continue
indefinitely if digest is abandoned. 

I have no idea what "digests never authenticated the transaction and
return codes" means.  The spec allows authentication of all return
headers which proxies don't change and the entity body. This works and
there are implementations. It is optionaly since usually it is not
worth the overhead.

People need to keep in mind what this is for.  It is designed for
something like the NY Times reader registration.  It is not suitable
for electronic commerce.

John Franks
Received on Wednesday, 17 December 1997 05:54:51 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 14:40:21 UTC