Bug #630 has made me wonder if we maybe should add knobs to Squid to
make the digest authentication less strict.
a) Ability to disable the nonce count check entirely
b) Workaround to browsers incorrectly calculating the digest response
using GET even when the request is actually a POST.
These two should considerably broaden the current target of browsers
which can use digest with only modest drawbacks compared to having to
use basic authentication..
'a' allows for a replay attack while the nonce is still active
'b' allows the replay attack with requests modified to use POST or
other request methods to the same URI as there has been a GET
request.
Technical note: It is a pity the digest scheme does not use the URL
for proxy authentication and not only the only the URI/url-path. If
it did then the issue of replay attacks to proxies would be much more
limited.
Comments?
Regards
Henrik
Received on Tue May 13 2003 - 18:31:22 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:19:55 MST