[
Lists Home |
Date Index |
Thread Index
]
> Bottom line: SSL on: everything is safe. SSL off: HTTP digest
> authentication, while not perfect given likely weak passwords, is more
> secure than cookie based authentication.
No. With SSL on, everything is safe, except that we've seen that
digest-auth doesn't have interoperable implementations, and it's
repeatedly using your login password which is a very bad thing. You
don't believe so, oh well. I don't have time to look it up, but the IETF
security WG disallowed this kind of thing in LDAP for exactly that reason.
Without SSL, the risk is "offline attack on gets long-term password" for
digest, and for cookie its "packet snarf gets limited access." That
tradeoff alone would make the concerned (or liable) party tend to go for
cookies, don'tcha think? And the cookie risks can be mediated in
several ways, including:
1. Make the lifetime short, but renewable; long enough for the expected
transaction lifetime (e.g., time spent through the shopping cart)
2. Make the lifetime be a "number of uses" count. This would make it
obvious to client and server when someone has stolen the session, not
something possible with an off-line dictionary attack against digest-auth.
3. (As Alaric mentioned) require re-login and SSL when entering the "no
turning back" phase.
Things may be worse than you think, but only if you try to use digest. :)
/r$
--
Rich Salz, Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
|
