OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

 


 

   Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Participation

[ Lists Home | Date Index | Thread Index ]

> If 
> somebody's trying to brute force guess passwords by logging in 
> repeatedly, that's pretty much the same issue with either cookies or 
> digest authentication.

No.  If I can get the plaintext request and response to a HTTP 
digest-auth message, than I can do my attack completely offline without 
involving the server at all.  That is a *huge* difference compared to 
repeatedly trying to log in (i.e., guess the password).  And remember, 
what's then been broken is the clients login password, not a 
finite-lifetime session key.

Given the recent messages and links about digest, I think we have to 
admit that it's a non-interoperable mechanism that's only slightly 
better than basic-auth and it's client-side management facilities and 
end-user knowledge is worse than cookies.
	/r$
-- 
Rich Salz, Chief Security Architect
DataPower Technology                           http://www.datapower.com
XS40 XML Security Gateway   http://www.datapower.com/products/xs40.html
XML Security Overview  http://www.datapower.com/xmldev/xmlsecurity.html





 

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS