Dirk-Willem van Gulik wrote:
Right now we do not verify the nonce using in digest. This means that
an attacker can replay the response from another site or section
on the web site if
- the users username+password is the same across the site.
- the realm name is the same
Unfortunately that is
This doesn't appear to check that the timestamp is anywhere near now,
which would prevent same-site replays...
Correct - the trouble with timestap checks is that ?most/some? browsers
will NOT cache the password the user has entered; but the 'response' (i.e.
nonce+realm+password). So if one
Dirk-Willem van Gulik wrote:
This doesn't appear to check that the timestamp is anywhere near now,
which would prevent same-site replays...
Correct - the trouble with timestap checks is that ?most/some? browsers
will NOT cache the password the user has entered; but the 'response' (i.e.
We use hsregex on older Solaris (2.0-2.5 or something like that).
Theoretically maybe something stops working or starts working when the switch
is made, but beyond that theoretical possibility does anyone have real
knowledge that there is a non-trivial likelihood of that occurring or that
Dirk-Willem van Gulik wrote:
On Thu, 18 Dec 2003, Greg Marr wrote:
Couldn't the new member be placed at the end of the request rec so
that it's only a minor bump?
Sure - does that work across all compilers ?
Yes.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
