- From: Scott Lawrence <lawrence@agranat.com>
- Date: Tue, 06 Jan 1998 14:08:19 -0500
- To: Ben Laurie <ben@algroup.co.uk>
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
>>>>> "BL" == Ben Laurie <ben@algroup.co.uk> writes: BL> The Apache implementation is already marked as not suitable for serious BL> use, because of the server's vulnerability to a replay. I'm not sure how BL> to avoid this, except, perhaps, by tying the nonce to the (rough) time BL> and the URL. Of course, a client nonce doesn't help with this at all, I don't believe that I understand this comment - if the server always generates an unique nonce how is it vulnerable to a replay? Granted, if it doesn't then it has a problem... BL> Actually, if we could insist that the digest authed request was in the BL> same keptalive session as the original request, that'd help a lot... TCP connections can be hijacked - it doesn't help. -- Scott Lawrence EmWeb Embedded Server <lawrence@agranat.com> Agranat Systems, Inc. Engineering http://www.agranat.com/
Received on Tuesday, 6 January 1998 11:26:20 UTC