[JDEV] Security

William Ahern wahern at jinsa.org
Fri Apr 7 15:37:47 CDT 2000

On Fri, 07 Apr 2000, you wrote:
> First off (security-wise) there are three things, two of which already
> exist:
> - digest auth can be used to authenticate to the server - this makes it so
> that the password is not sent to the server in plaintext, so that someone
> snooping the connection will not be able to see the users password then log
> in as them

Maybe I'm misunderstanding you, but just sending something like an md5 sum
over the wire is equivalent to sending plaintext, since either way a sniffer
can see what it needs.

I'm using an SRP enabled telnet solution on my unix boxes. I wish this was more
widely used. It doesn't 'encrypt' the passwd to keep it secure, but uses a
tested algorithm that allows the server to determine whether or not the client
has the approrpiate passwd. Nothing is sent, encrypted or otherwise, that could
compromise the passwd.


More information about the JDev mailing list