- From: Alexander Mueller <alexm@gmx.at>
- Date: Fri, 11 Jan 2008 12:47:16 +0100
- To: Maciej Stachowiak <mjs@apple.com>
- Cc: public-html@w3.org
> > I don't think this provides much security advantage without the > "replaysalt" attribute. If the hash is your actual authentication > credential, then an attacker who sniffs it could just log in as you. This is correct, however this isnt different from the current password solution and the hash itself shouldnt prevent replay attacks but rather "encrypt" the password itself. > > So the only worthwhile part of this is the ability to hash the > password combined with a one-time salt (the "replaysalt"). However, > that feature does not seem workable. The server would have to know at > the time you submit the form what "replaysalt" value it sent you. But > there's no way to know that without sending it (or some other session > token) along with the request, which makes it once again replayable. Thats the point, the server is sending the replay salt but as it is always different it is not "replayable". Alexander -- Psssst! Schon vom neuen GMX MultiMessenger gehört? Der kann`s mit allen: http://www.gmx.net/de/go/multimessenger?did=10
Received on Friday, 11 January 2008 11:47:46 UTC