On 27 Jan 2009, at 21:00, André Warnier wrote:
The only real weak spot is the "man in the middle".
Heh. You mean it doesn't use client certificates. The server knows
it's talking to just one client, but can't be certain who that client
is.
You can use the same attack with HTTPS, too. The difference
there is that browser will show the user that the connection is
not secure, which is useful only if the user knows the connection
needs to be secure:
Server <-- Digest --> Proxy <-- Basic --> Client
Server <-- HTTPS --> Proxy <-- HTTP --> Client
In both cases, the connection from server to proxy is secure,
but the client end isn't.
--
Nick Kew
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
