W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1998

RE: Digest mess

From: David W. Morris <dwm@xpasc.com>
Date: Wed, 7 Jan 1998 18:29:38 -0800 (PST)
To: Jim Gettys <jg@pa.dec.com>
Cc: Paul Leach <paulle@microsoft.com>, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, Scott Lawrence <lawrence@agranat.com>, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <Pine.GSO.3.96.980107181725.9506H-100000@shell1.aimnet.com>


On Wed, 7 Jan 1998, Jim Gettys wrote:

> 
> While I agree with both Paul and Scott on message integrity, I'd 
> like to remind people that the BIG disaster on the Internet 
> is password grabbing.  Naive people use the same
> password for many things...
> 
> At this point, anything that can help that problem is worth alot, eve
> n if it has other issues...

I agree! 

The problem is perhaps even worse, one server rapidly increasing its
deployment (MS IIS) actually requires (by default) that each user to be
authenticated have a login/pw on the server. There are various ways
to mitigate the risk ... but while we blame naive people for using
the same password for many things, we should note that those who
should know better have made the problem significantly worse by
biasing the situation to use of the same login/pw for access to the
LAN file servers AND the web.

Of course, once we have hidden the password using digest, there is
still no way to update the password but one could argue that
it is harder to sniff the infrequent update than the repeated
authentication credential.

In any case, I believe it is critical to protect the authentication
credentials not because we are securing the web transaction BUT for
the reasons Jim has noted ... to prevent the use of web passwords
grabbed from the net from being used to access unrelated services.

Take on the data verification as a second problem.  Perhaps do 
something about the password update issue as well... Perhaps 
even a variation of shttp to protect and authenticate the payload 
with lower implementation costs than SSL.

Dave Morris
Received on Wednesday, 7 January 1998 18:37:33 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:09 EDT