[4562] in WWW Security List Archive
Re: Basic Authentication
daemon@ATHENA.MIT.EDU (Tomasz Pilat)
Fri Feb 21 16:32:38 1997
Date: Fri, 21 Feb 1997 19:11:32 +0100 (MET)
From: Tomasz Pilat <poncjusz@ajax.umcs.lublin.pl>
To: Aaron Abelard <aarona@iquest.net>
cc: Jim Harmon <jim@telecnnct.com>, www-security@ns2.rutgers.edu
In-Reply-To: <Pine.SV4.3.91.970220084052.24549E-100000@iquest4>
Errors-To: owner-www-security@ns2.rutgers.edu
On Thu, 20 Feb 1997, Aaron Abelard wrote:
> Here's something very on topic for www-security. According to the HTTP/1=
=2E0
> specification (http://www.ics.uci.edu/pub/ietf/http/rfc1945.html#AA) the=
=20
> username and password used in Basic Authentication is sent as clear=20
> text. Does this not allow for the possibility of the information being=
=20
> snooped? Also, are there any authentication schemes in use other than=20
> Basic? =20
1.) Not so clear I think. Username/passwd are transported in ``uuencode''
format (exactly like in telnet).
2.) One can easily catch packets with username/passwd using proper
software.
3.) ``MD5 Message Digest Authentication'' is popular scheme (IMHO).
Kerberos and such are less popular (again IMHO).
4.) Check "Hypertext Transfer Protocol -- HTTP/1.1" (RFC #2068) and=20
"An Extension to HTTP : Digest Access Authentication" (RFC #2069).
"Content-MD5 Header Field" (RFC #1864) and
"IP Authentication using Keyed MD5" (RFC #1828) may be interested too.
> Aaron Abelard / aarona@iquest.net
Regards,
TP
--
Tomasz "Poncki" Pi=B3at - poncki@irc.pl
<URL:http://ajax.umcs.lublin.pl/~poncjusz/>
