- From: Paul Leach <paulle@microsoft.com>
- Date: Mon, 10 Jun 1996 17:57:33 -0700
- To: "'hallam@Etna.ai.mit.edu'" <hallam@etna.ai.mit.edu>
- Cc: "'http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com'" <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>, 'John Franks' <john@math.nwu.edu>
Digest is subject to "man in the middle" attacks because not all fields are included in the digest. This is explained in the remainder of the section that was elided from my message because it hadn't changed. If you review the whole section and still believe that it's worth fixing, let me know. However, please keep in mind when making that decision that delay at this point may cause it to not be able to be incorporated into the HTTP/1.1 spec -- we'd like to do that to increase liklihood of deployment. >---------- >From: hallam@Etna.ai.mit.edu[SMTP:hallam@Etna.ai.mit.edu] >Sent: Monday, June 10, 1996 5:49 PM >To: Paul Leach <paulle@microsoft.com; >'http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com'; 'John Franks' >Cc: hallam@Etna.ai.mit.edu >Subject: Re: Final Review of Digest Authentication > > >Paul writes: > >> Both Basic and Digest authentication are vulnerable to "man in the >> middle" attacks, for example, from a hostile or compromised proxy. >> Clearly, this would present all the problems of eavesdropping. But >> it could also offer some additional threats. > >This isn't quite right. Digest authentication is not vulnerable >to a man in the middle attack as described. Digest is vulnerable to >a downgrade attack where a client supports BASIC and BASIC is >vulnerable to man in the middle. > >If a client does not support Digest the vulnerability to password >snooping goes away beacuse a client will not divulge the password under >any circumstances. > >Its a picky point but an important one. > > Phill > >
Received on Monday, 10 June 1996 18:04:23 UTC