[jdev] MD5 auth problem
Tony Finch
dot at dotat.at
Thu May 25 07:40:48 CDT 2006
On Thu, 25 May 2006, Dave Cridland wrote:
>
> Consider the case where the server is compromised.
A client compromise is much more likely :-)
> If you use DIGEST-MD5, then the attacker only has a plaintext equivalent good
> enough to authenticate with the compromised server, and cannot obtain anything
> better from the authentication process on the wire - if the server is
> compromised, therefore, you've lost privacy, but not your password.
AFAIK most DIGEST-MD5 implementations keep bare passwords on the server,
so a server compromise would expose them all.
Tony.
--
f.a.n.finch <dot at dotat.at> http://dotat.at/
DENMARK STRAIT: NORTH OR NORTHWEST 4 OR 5, INCREASING 6 FOR A TIME IN
EAST, OCCASIONALLY VARIABLE 4 IN WEST. LIGHT ICING IN EAST, TEMPERATURES
ZERO TO MS02.
More information about the JDev
mailing list