Archive of UserLand's first discussion group, started October 5, 1998.
Re: Tough problem to solve...
Author: Wesley Felter Posted: 5/10/2000; 1:00:15 PM Topic: Piking behind firewalls Msg #: 17175 (In response to 17167) Prev/Next: 17174 / 17176
If I can somehow get the MD5 hash of your username and password, e.g. by sniffing your network connection, I can pass that string back to Manila and still do nasty things.Yes, this is technically known as password-equivalence.
One approach is to use a challenge and response during the same connection, and repeat that every time someone connects, but HTTP is usually connectionless.
HTTP/1.1 already has a standard challenge-response authentication scheme called digest authentication. However, even digest auth is vulnerable to offline guessing attacks.
Perhaps it all needs to happen over SSL.
Even though SSL can be leak passwords during man-in-the-middle attacks, I think this is the most practical solution.
This page was archived on 6/13/2001; 4:55:09 PM.
© Copyright 1998-2001 UserLand Software, Inc.