xml-dev - Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Participation

Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Participation

[ Lists Home | Date Index | Thread Index ]

To: Elliotte Rusty Harold <elharo@metalab.unc.edu>
Subject: Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Participation
From: Rich Salz <rsalz@datapower.com>
Date: Thu, 08 Jan 2004 12:53:48 -0500
Cc: xml-dev@lists.xml.org
In-reply-to: <p06010209bc233f0179a9@[192.168.254.4]>
References: <20040108000125.GI31886@mercury.ccil.org> <Pine.LNX.4.44L0.0401072052010.11874-100000@smtp.datapower.com> <20040108115451.GP31886@mercury.ccil.org> <3FFD4836.4000705@alaric-snell.com> <p06010202bc230c579249@[192.168.254.4]> <3FFD7817.509@alaric-snell.com> <p06010209bc233f0179a9@[192.168.254.4]>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4b) Gecko/20030507

> If 
> somebody's trying to brute force guess passwords by logging in 
> repeatedly, that's pretty much the same issue with either cookies or 
> digest authentication.

No.  If I can get the plaintext request and response to a HTTP 
digest-auth message, than I can do my attack completely offline without 
involving the server at all.  That is a *huge* difference compared to 
repeatedly trying to log in (i.e., guess the password).  And remember, 
what's then been broken is the clients login password, not a 
finite-lifetime session key.

Given the recent messages and links about digest, I think we have to 
admit that it's a non-interoperable mechanism that's only slightly 
better than basic-auth and it's client-side management facilities and 
end-user knowledge is worse than cookies.
	/r$
-- 
Rich Salz, Chief Security Architect
DataPower Technology                           http://www.datapower.com
XS40 XML Security Gateway   http://www.datapower.com/products/xs40.html
XML Security Overview  http://www.datapower.com/xmldev/xmlsecurity.html

Follow-Ups:
- Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call forParticipation
  - From: Elliotte Rusty Harold <elharo@metalab.unc.edu>

References:
- Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Participation
  - From: John Cowan <cowan@mercury.ccil.org>
- Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Participation
  - From: Rich Salz <rsalz@datapower.com>
- Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Participation
  - From: John Cowan <cowan@mercury.ccil.org>
- Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Participation
  - From: Alaric B Snell <alaric@alaric-snell.com>
- Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call forParticipation
  - From: Elliotte Rusty Harold <elharo@metalab.unc.edu>
- Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Participation
  - From: Alaric B Snell <alaric@alaric-snell.com>
- Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call forParticipation
  - From: Elliotte Rusty Harold <elharo@metalab.unc.edu>

Prev by Date: RE: [xml-dev] Urgent help needed. XML Parser
Next by Date: Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Participation
Previous by thread: Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call forParticipation
Next by thread: Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call forParticipation
Index(es):
- Date
- Thread