Cliff Woolley wrote: CW> On Mon, 12 Aug 2002, Sbastien Bonnegent wrote: CW> CW> > A client connect to "www.example1.com", and provide an authentification. CW> > Later, the same client connect to "www.example2.com" without give again CW> > an authentification. CW> CW> How is that not a security problem? CW> CW> Let's say we then have www.example3.attacker.com who provides the same CW> Realm to the proxy. The proxy hands over the user's password to the CW> attacker without the client even knowing anything happened. In fact, my first schema was incomplete, whereis a firewall between the client and the proxy. In addition, the proxy only serves a delimited number of websites which are known in advance. It is the proxy that check if the user is already known or not. Obviously, hijacking and ip-spoofing must have special attention in this system (maybe with a special nonce or something like that). Regards, se� - sinad -- GPG uid: 0xCB92591D ICQ: 60143970 LINUX - because life is too short to reboot ! -- Fortune: There will be big changes for you but you will be happy.
msg11423/pgp00000.pgp
Description: PGP signature
