- From: John Franks <john@math.nwu.edu>
- Date: Tue, 6 Jan 1998 12:59:44 -0600 (CST)
- To: Ben Laurie <ben@algroup.co.uk>
- Cc: Scott Lawrence <lawrence@agranat.com>, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
On Tue, 6 Jan 1998, Ben Laurie wrote: > > The Apache implementation is already marked as not suitable for serious > use, because of the server's vulnerability to a replay. I don't understand. The Apache implementation only authenicates a client to the server. This works. There is no possibility of replay unless the server re-uses nonces (which I can't believe any implementation would do). Going the other direction, the base digest mechanism (as implemented in Apache) does not authenticate a server to a client. It is just like Basic in that respect. Since there is no authentication there can be no attack, replay or otherwise. The base digest authentication is a replacement for Basic, but without passwords in the clear. Apache presumably does that fine. This is a "serious use". There are, of course, other "serious uses" which it does not implement and this will always be the case. > > Actually, if we could insist that the digest authed request was in the > same keptalive session as the original request, that'd help a lot... > Why? Are you saying that once Apache has received valid credentials for one request it allows access for (some) other requests in the same keep-alive session which don't have credentials? Surely, that can't be true. Maybe I don't understand what you are saying. John Franks john@math.nwu.edu
Received on Tuesday, 6 January 1998 11:02:27 UTC