Cart
[Home] [By Thread] [By Date] [Recent Entries]
> If > somebody's trying to brute force guess passwords by logging in > repeatedly, that's pretty much the same issue with either cookies or > digest authentication. No. If I can get the plaintext request and response to a HTTP digest-auth message, than I can do my attack completely offline without involving the server at all. That is a *huge* difference compared to repeatedly trying to log in (i.e., guess the password). And remember, what's then been broken is the clients login password, not a finite-lifetime session key. Given the recent messages and links about digest, I think we have to admit that it's a non-interoperable mechanism that's only slightly better than basic-auth and it's client-side management facilities and end-user knowledge is worse than cookies. /r$ -- Rich Salz, Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
|
