- From: Daniel DuBois <dan@spyglass.com>
- Date: Tue, 15 Apr 1997 22:10:15 GMT
- To: "nemo/Joel N. Weber II" <devnull@gnu.ai.mit.edu>
- Cc: http-wg@cuckoo.hpl.hp.com
On Tue, 15 Apr 1997 17:47:03 -0400 (EDT), "nemo/Joel N. Weber II" <devnull@gnu.ai.mit.edu> wrote: > Except that SSL is rather heavy weight performance wise and hence may be > overkill where the real objective is reasonably reliable identification of > a user w/o compromising their password data. > >I still don't quite see this. >Because if I can watch someone's packets fly across a network segment, >can't I take over their connection after it has been established? >Obviously, for me to read the password, I have to know what I'm doing. >So hijacking a connection would not be much harder. (Especially With Digest Authentication, hijacking a connection will not allow you to make subsequent requests over that connection (of different URLs) without knowledge of the shared secret (aka password). There's an MD5 hash of the URL, the password, and some other data. ----- Daniel DuBois, Traveling Coderman www.spyglass.com/~ddubois "The problem with political jokes is that they get elected."
Received on Tuesday, 15 April 1997 15:15:23 UTC