On Sat, 5 Mar 2022 15:07:15 GMT, Jaikiran Pai <j...@openjdk.org> wrote:
>> Hi,
>>
>> Could I get the following change reviewed please, which is to disable the
>> MD5 message digest algorithm by default in the HTTP Digest authentication
>> mechanism? The algorithm can be opted into by setting a new system property
>> "http.auth.digest.reEnabledAlgs" to include the value MD5. The change also
>> updates the Digest authentication implementation to use some of the more
>> secure features defined in RFC7616, such as username hashing and additional
>> digest algorithms like SHA256 and SHA512-256.
>>
>> - Michael
>
> src/java.base/share/classes/sun/net/www/protocol/http/DigestAuthentication.java
> line 514:
>
>> 512: if (getAuthType() == AuthCacheValue.Type.Server &&
>> 513: getProtocolScheme().equals("https")) {
>> 514: // HTTPS server authentication can use any algorithm
>
> Hello Michael,
> Should it be noted somewhere in the text of the linked CSR that the property
> values play no role if the request URL's scheme is HTTPS (and proxy isn't
> involved)?
>
> As a related question - should the implementation even bother about this HTTP
> vs HTTPS protocol check? As far as I understand, the reason why we are
> proposing to disable support for MD5 is because of its cryptographic
> weakness/vulnerabilities. So irrespective of whether or not the computed MD5
> (or any other disabled algorithm) digest value gets transferred over HTTP or
> HTTPS, the value would still be cryptographically vulnerable isn't it?
The distinction may be worth mentioning in the CSR and the docs. The
distinction is useful because like Basic authentication which is completely
insecure with plaintext HTTP, it is secure and a potentially useful web
authentication scheme controlled by the browser when run over HTTPS (except
when authenticating with HTTPS to a proxy).
-------------
PR: https://git.openjdk.java.net/jdk/pull/7688
