Archive of UserLand's first discussion group, started October 5, 1998.

Tough problem to solve...

Author:David Brown
Posted:5/10/2000; 11:59:59 AM
Topic:Piking behind firewalls
Msg #:17167 (In response to 17142)
Prev/Next:17166 / 17168

I've been thinking more about the MD5 hash of user and password.

You're not sending usernames and passwords in plaintext anymore, but you are still sending something in the clear that can be grabbed and reused.

If I can somehow get the MD5 hash of your username and password, e.g. by sniffing your network connection, I can pass that string back to Manila and still do nasty things.

I suppose you could add something to the username:password string that would make it unique each time, but somehow there needs to be a way for the client and server to agree on what's going to be added. And it has to be changed constantly, otherwise you have the same situation all over again.

It's a tough problem to solve correctly.

One approach is to use a challenge and response during the same connection, and repeat that every time someone connects, but HTTP is usually connectionless.

Perhaps it all needs to happen over SSL.

dave

There are responses to this message:

This page was archived on 6/13/2001; 4:55:09 PM.

© Copyright 1998-2001 UserLand Software, Inc.