W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1998

RE: Digest mess

From: Paul Leach <paulle@microsoft.com>
Date: Wed, 7 Jan 1998 17:59:01 -0800
Message-Id: <5CEA8663F24DD111A96100805FFE65872038E1@red-msg-51.dns.microsoft.com>
To: "'jg@pa.dec.com'" <jg@pa.dec.com>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, Scott Lawrence <lawrence@agranat.com>


> ----------
> From: 	jg@pa.dec.com[SMTP:jg@pa.dec.com]
> Sent: 	Wednesday, January 07, 1998 9:52 AM
> To: 	Paul Leach
> Cc: 	http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com; Scott Lawrence
> Subject: 	RE: Digest mess
> 
> 
> While I agree with both Paul and Scott on message integrity, I'd 
> like to remind people that the BIG disaster on the Internet 
> is password grabbing. 
> 
Of course. But that's because no one needs to do anything complicated when
something trivial suffices.

>  Naive people use the same
> password for many things...
> 
(Interesting side note: the SCRAM auth protocol uses a per-server or
per-authentication domain salt to allow safe use of the same password for
many sites. There's an I-D by Chris Newman -- I forget the exact title.)

> At this point, anything that can help that problem is worth alot, eve
> n if it has other issues...
> 
All that will happen is that the attackers will switch to exploiting the
other weaknesses.

Paul
Received on Wednesday, 7 January 1998 18:03:40 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:09 EDT