- From: John Franks <john@math.nwu.edu>
- Date: Wed, 17 Dec 1997 07:52:55 -0600 (CST)
- To: "John C. Mallery" <jcma@ai.mit.edu>
- Cc: "Phillip M. Hallam-Baker" <hallam@ai.mit.edu>, rlgray@us.ibm.com, HTTP Working Group <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>
On Wed, 17 Dec 1997, John C. Mallery wrote:
> Yea, and now Internet Explorer 4.0 has broken their digest implementation
> form 3.0. Of course, netscape doesn't do digests.
>
> Of course, digests never authenticated the transaction and return codes,
> leaving them vulnerable to man-in-the-middle attacks.
>
> Quite the mess.
>
> A couple of simple fixes and this would be very useful.
>
> What gives?
>
>
Did you read the spec?
The Digest Access Authentication scheme is not intended to be a complete
answer to the need for security in the World Wide Web. This scheme
provides no encryption of object content. The intent is simply to create
a weak access authentication method, which avoids the most serious flaws
of Basic authentication.
The design objectives of digest were 1) replace the clear text passwords
of Basic, 2) no patent or export restrictions, i.e. NO ENCRYPTION.
It is not fair to criticize a bicycle because it does a rotten job
as a school bus. If you want to keep Basic forever, so be it. But
Basic is currently used at least an order of magnitude more than
any other authentication or security system. This will continue
indefinitely if digest is abandoned.
I have no idea what "digests never authenticated the transaction and
return codes" means. The spec allows authentication of all return
headers which proxies don't change and the entity body. This works and
there are implementations. It is optionaly since usually it is not
worth the overhead.
People need to keep in mind what this is for. It is designed for
something like the NY Times reader registration. It is not suitable
for electronic commerce.
John Franks
john@math.nwu.edu
Received on Wednesday, 17 December 1997 05:54:51 UTC