- From: D. Willems <xatr0z@home.nl>
- Date: Sun, 17 Nov 2002 11:17:58 +0100
- To: "Goetz Bock" <bock@blacknet.de>
- Cc: <www-forms@w3.org>, <www-html@w3.org>, <www-html-editor@w3.org>
[snip] > > On Sat, Nov 16 '02 at 12:28, Xatr0z wrote: > > [ ... ] If someone is "sniffing" and get's the HTTP request > > instead of the HTTP server, he or she doesn't get the password, but it's > > encrypted (or with MD5, that depends on the HTTP request). Ofcourse, it > > isn't secure, he or she could trie an dictionary or brute-force attack, but > > is is more secure, and I think that's a good thing. > I don't need to do and brute-force. I can just reuse the SAME md5 > hash/checksum I just sniffed to reauthenticate as a valid user. As we > have discussed, an MD5 sum can not be "decrypted" into the real > password, it can only be compatred to a given MD5 sum in the database. > Yes you can, but think about registration mechanisms, you can mostly register yourself only once. [snip] > > What do you feel about the idea to create a attribute which allows the > > client to send an (MD5) checksum of the file, to determine if the transport > > went well? > This does not even add integrity checks for anything but transport > errors. This should be handled by the transport protocoll (TCP/IP in > this case) but again read "secrets and lies". Why should it? On my WWWebsites, I would like to see details about what went wrong, give my personal errors, etc. I think it is a good idea to insert this in HTML/XHTML. Regards, D. Willems "Xatr0z" <xatr0z at users dot sourceforge dot net>
Received on Sunday, 17 November 2002 05:21:34 UTC