[jdev] MD5 auth problem
Dave Cridland
dave at cridland.net
Thu May 25 06:32:57 CDT 2006
On Thu May 25 11:21:36 2006, Norman Rasmussen wrote:
> Agreed, Psi shouldn't complain about Plain if it's TLS/SSL secured.
Yes it should.
Consider the case where the server is compromised. TLS privacy is
only good on the wire, so if you use PLAIN (or any plaintext password
mechanism), you've handed the attacker your password. So unless the
server cannot be compromised, a client has every right to complain.
If you use DIGEST-MD5, then the attacker only has a plaintext
equivalent good enough to authenticate with the compromised server,
and cannot obtain anything better from the authentication process on
the wire - if the server is compromised, therefore, you've lost
privacy, but not your password.
Dave.
--
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at jabber.org
- acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
- http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
More information about the JDev
mailing list