[2232] in WWW Security List Archive
Re: Final Review of Digest Authentication
daemon@ATHENA.MIT.EDU (hallam@Etna.ai.mit.edu)
Mon Jun 10 23:03:48 1996
From: hallam@Etna.ai.mit.edu
To: "Paul Leach <paulle@microsoft.com> \"'www-security@ns2.rutgers.edu'\"" <www-security@ns2.rutgers.edu>,
"'http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com'" <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>,
"'John Franks'" <john@math.nwu.edu>
Cc: hallam@Etna.ai.mit.edu
Date: Mon, 10 Jun 96 20:49:17 -0400
Errors-To: owner-www-security@ns2.rutgers.edu
Paul writes:
> Both Basic and Digest authentication are vulnerable to "man in the
> middle" attacks, for example, from a hostile or compromised proxy.
> Clearly, this would present all the problems of eavesdropping. But
> it could also offer some additional threats.
This isn't quite right. Digest authentication is not vulnerable
to a man in the middle attack as described. Digest is vulnerable to
a downgrade attack where a client supports BASIC and BASIC is
vulnerable to man in the middle.
If a client does not support Digest the vulnerability to password
snooping goes away beacuse a client will not divulge the password under
any circumstances.
Its a picky point but an important one.
Phill
