abhishiv commented on issue #1183: Proxy Authentication doesn't work when 
proxy_use_secret=true
URL: https://github.com/apache/couchdb/issues/1183#issuecomment-380029505
 
 
   > I think the hmac encoding of the username provides only slightly better 
security, but it is confusing to users. Perhaps the http auth should allow both 
options at the same time, either the secret directly (#1174), or the encoded 
username. If an attacker already knows about the secret, it is trivial to 
generate the tokens, so there is no harm in allowing the secret as a token, if 
users desire it.
   
   Benefit of encoding username is that it disallows malicious users from 
accessing others databases. If we were to allow directly supplying secret - 
specially when using it on client like pouchdb.
   
   If we were to allow both, at least we should document this point.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

Reply via email to