- From: <hallam@etna.ai.mit.edu>
- Date: Mon, 10 Jun 96 20:49:17 -0400
- To: Paul Leach <paulle@microsoft.com>, www-security@ns2.rutgers.edu, "'http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com'" <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>, 'John Franks' <john@math.nwu.edu>
- Cc: hallam@etna.ai.mit.edu
Paul writes: > Both Basic and Digest authentication are vulnerable to "man in the > middle" attacks, for example, from a hostile or compromised proxy. > Clearly, this would present all the problems of eavesdropping. But > it could also offer some additional threats. This isn't quite right. Digest authentication is not vulnerable to a man in the middle attack as described. Digest is vulnerable to a downgrade attack where a client supports BASIC and BASIC is vulnerable to man in the middle. If a client does not support Digest the vulnerability to password snooping goes away beacuse a client will not divulge the password under any circumstances. Its a picky point but an important one. Phill
Received on Monday, 10 June 1996 17:48:52 UTC