[standards-jig] Re: [Foundation] Last Minute JEP 78 Concerns
ralphs at blueairnetworks.com
Tue May 27 22:06:23 UTC 2003
Dave Smith wrote:
> digest auth == SHA1(stream id + password-plaintext)
> edigest auth == SHA1(stream id + SHA1(password-plaintext))
> This would mean that one never sends the plaintext password over the
> wire, even for registration.
That is true. But you are sending only a variation with no challenge
posed from the server. So, anyone with a packet sniffer can capture the
SHA1(password-plaintext) as it is transmitted. This includes your
friendly sysadmin who you wish you could trust. The sniffed hashed
password is all it takes for another client to duplicate the same
connection - they do not need to know the original password.
So, as was pointed earlier, the effect of hashing the password is no
different than sending the plain password. It is just a different
string being sent around. Anyone can see this string, either by
sniffing the traffic or by looking at the spool file. And then they can
So, you have to weigh the efforts of changing all the clients against
this supposed "increase" in security that in fact is exactly the same as
what we have with digest right now.
The issue of the password being sniffed cannot be fixed, wether it is
encrypted or not, without the use of something like SSL or SASL, and
that requires client changes - which will take time to implement and
adopt over the millions of users.
So focus on the other problem - that of the password being stored
plaintext on the server. There are a variety of ways to avoid that, all
of which do not require any changes to the clients to implement, and
will not break any existing clients.
More information about the Standards