Doug's analysis of the patch is right on, but he doesn't go far enough. 1. The author of the patch clearly thinks that security consists of sprinkling magic SHA-1 HMAC challenge response pixie dust over the code in a random fashion. This means that any revised patch must be viewed with suspicion.
2. SHA-1 isn't even the recommended flavor of pixie dust anymore. Use SHA-256. The right thing to do is have the login over SSL. The next best thing to do is to use SRP. It's the only thing that lets you have secure passwords on the server and secure transmission of passwords from the client. There's a Javacsript library available at http://sourceforge.net/projects/clipperz Otherwise you have a choice of insecure password storage or insecure password transmission. _______________________________________________ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
