On Mon, 24 May 2004, [koi8-r] "Slivarez![koi8-r] " wrote: > Thank's for advise, but I need to make something clear to me. Main > problem with ncsa_auth is SNIFFERS, i.e. simply sniffer can get password > from TCP packet. Does digest helper allow to encrypt password before > transmiting it to a proxy (or how it works)?
Digest never transmits the password over the wire. Digest uses secure one-time hashes on the wire, meaning that even if an attacker sniffs the wire traffic he can not use what is found, or at worst if the security level is set low reuse the information to only to login to the proxy for a short time after it was seen on the wire. It is still possible to use a dictionary attack on the secure hash to try to offline guess what the password is, but this requires a significant amount of CPU time in hash MD5 operations. Regards Henrik
