On 2003.11.03, Tom Jackson <[EMAIL PROTECTED]> wrote: > On Mon, 2003-11-03 at 16:01, Dossy wrote: > > > Before we continue this thought, lets step back a second. Is AOLserver > > a general purpose, multi-threaded daemon with a Tcl interpreter that > > just /coincidentally/ happens to come standard with an HTTP request > > processor ... or is AOLserver a specialized application built > > specifically for the fast delivery of dynamic web pages, using a > > multi-threaded Tcl page generation engine? > > It is a special purpose 'HTTP like' request processor over tcp. It would > be nice if you could set tcp/udp per ns_sock section. It would be great > if ns_http was a separate module.
If HTTP request processing could be pulled out in a clean way that didn't impact the 90% case that AOLserver will be used as an HTTP request processor from a performance perspective, I might agree with you. Doing this, however, is no easy task. Doing it right, that's even tougher. > Digest Auth seems pretty useless if it requires storing plain text > passwords. That makes a big payoff for breaking into a webserver, > database or whatever stores the passwords. Storing passwords using a 16 bit salt and a 64 bit key (ala unix crypt) is pretty dangerous if the system storing the passwords can be compromised. With modern processing power readily available to the average consumer, brute-force attacks on 64 bit keys is trivial. Since it's so easy to break those passwords, why make yourself jump through hoops? Just store the passwords in plain text so you can take advantage of having them in that form. If you're paranoid, place the authentication mechanism on a machine that sits behind some level of network security, and don't let the passwords pass the wire into unsafe networks at all. Have the webserver call out to this authentication system passing a strong token that can be used to authenticate, and have the auth. system pass back a yes/no. > This is probably why no one has had reason to use it much. It is extra > work for no, or even negative, effect. Putting words in your mouth: I agree. Digest auth really isn't much more security than basic auth. If you must, pass the password in plain-text using Basic auth and protect the transport layer using SSL. Once authenticated, give the user a strong authentication token to send back with future transactions, then send the user back to a non-SSL transport layer for speed/performance reasons. -- Dossy -- Dossy Shiobara mail: [EMAIL PROTECTED] Panoptic Computer Network web: http://www.panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
