Cart
|
[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Re: Re: Cookies at XML Europe 2004 -- Call for Participation
 > Bottom line: SSL on: everything is safe. SSL off: HTTP digest > authentication, while not perfect given likely weak passwords, is more > secure than cookie based authentication. No. With SSL on, everything is safe, except that we've seen that digest-auth doesn't have interoperable implementations, and it's repeatedly using your login password which is a very bad thing. You don't believe so, oh well. I don't have time to look it up, but the IETF security WG disallowed this kind of thing in LDAP for exactly that reason. Without SSL, the risk is "offline attack on gets long-term password" for digest, and for cookie its "packet snarf gets limited access." That tradeoff alone would make the concerned (or liable) party tend to go for cookies, don'tcha think? And the cookie risks can be mediated in several ways, including: 1. Make the lifetime short, but renewable; long enough for the expected transaction lifetime (e.g., time spent through the shopping cart) 2. Make the lifetime be a "number of uses" count. This would make it obvious to client and server when someone has stolen the session, not something possible with an off-line dictionary attack against digest-auth. 3. (As Alaric mentioned) require re-login and SSL when entering the "no turning back" phase. Things may be worse than you think, but only if you try to use digest. :) /r$ -- Rich Salz, Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html 
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! 
Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|
|||||||||
