Re: [patch] digest replay protection
Dirk-Willem van Gulik wrote: Right now we do not verify the nonce using in digest. This means that an attacker can replay the response from another site or section on the web site if - the users username+password is the same across the site. - the realm name is the same Unfortunately that is often the case (and for the real, there is a lot of DAV and webdav out there). Below somewhat addresses that by veryfing that the nonce is actually our own. This doesn't appear to check that the timestamp is anywhere near now, which would prevent same-site replays... Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff
Re: [patch] digest replay protection
This doesn't appear to check that the timestamp is anywhere near now, which would prevent same-site replays... Correct - the trouble with timestap checks is that ?most/some? browsers will NOT cache the password the user has entered; but the 'response' (i.e. nonce+realm+password). So if one sets a 5 minute time out on the time stamp - then users will be prompted for a password every 5 minutes or so. Setting it to any thing shorter, which from a security perspective would even make more snese, of course means typing the password for every page :) Bear in mind that unlike experimental/mod_auth_digest - most browsers and mod_digest does not do anything like fancy/decent qop or other counts; and as far as I understand any re-newing of the nonce requires a full rejection round trip. Dw
Re: [patch] digest replay protection
Dirk-Willem van Gulik wrote: This doesn't appear to check that the timestamp is anywhere near now, which would prevent same-site replays... Correct - the trouble with timestap checks is that ?most/some? browsers will NOT cache the password the user has entered; but the 'response' (i.e. nonce+realm+password). So if one sets a 5 minute time out on the time stamp - then users will be prompted for a password every 5 minutes or so. That's crap. So, we should do it right and get the browsers fixed. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff
[1.3] any reasons not to switch to hsregex on Solaris?
We use hsregex on older Solaris (2.0-2.5 or something like that). Theoretically maybe something stops working or starts working when the switch is made, but beyond that theoretical possibility does anyone have real knowledge that there is a non-trivial likelihood of that occurring or that actual problems have been seen when this was done? I've dealt with a couple of severe performance problems with regular expressions recently with a 1.3-based server on Solaris 8. There has been ample opportunity to hear such reports on other platforms that use hsregex, yet I haven't heard anything. In one of the cases, I was able to compare the expensive expression match on Solaris vs. AIX. The AIX build, using hsregex, had slight degradation (~10%), whereas the Solaris build, using native regex support, consumed multiple times the normal CPU. In the current case, where it seems to loop forever in the regex code, I know the AliasMatch expressions which are being evaluated but not what request triggered it. (I should have had the customer enable ExtendedStatus and then check the server-status entry for the high-cpu child before they had to kill it :( ) The only AliasMatch directives look like this, one per vhost: AliasMatch ^(/.+)+(/.+\.css)$ /foo1/foo2/foo3/css/$1/$2 Probably I will end up building them a server using hsregex and get them to see if the problem reoccurs.
Re: [patch] - digest nonce including MM bump, doc and changes.
Dirk-Willem van Gulik wrote: On Thu, 18 Dec 2003, Greg Marr wrote: Couldn't the new member be placed at the end of the request rec so that it's only a minor bump? Sure - does that work across all compilers ? Yes. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff