[4135] in WWW Security List Archive


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: IIS Authentication Protocol

daemon@ATHENA.MIT.EDU (Scott Lawrence)
Mon Jan 27 13:28:21 1997

Date: Mon, 27 Jan 1997 11:04:17 -0500 (EST)
From: Scott Lawrence <lawrence@agranat.com>
To: Frank Willoughby <frankw@in.net>
cc: www-security@ns2.rutgers.edu
In-Reply-To: <9701270413.AA03324@su1.in.net>
Errors-To: owner-www-security@ns2.rutgers.edu

> FWIW, I would NOT recommend using any method of authentication which
> does not encrypt the network traffic from end-to-end.  Failure to do
> so could result in an intruder implementing a "session hijacking"
> attack to take over an existing connection (after the c/r has been
> completed).
>
> Frank

Encryption is not the only way to prevent session hijacking - the 
proposed standard (rfc2069) Digest Authentication scheme maintains 
continuous authentication, optionally including a digest of the message 
body - without encrypting the messages or requiring repeated prompts of 
the user.

We have a server available (http://digest-test.agranat.com/) to aid 
browsers in testing this feature.


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[4135] in WWW Security List Archive

Re: IIS Authentication Protocol

daemon@ATHENA.MIT.EDU (Scott Lawrence)Mon Jan 27 13:28:21 1997

daemon@ATHENA.MIT.EDU (Scott Lawrence)
Mon Jan 27 13:28:21 1997