[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

mail admins?

On Mon, Apr 27, 2020 at 7:14 AM Michael Thomas <mike at mtcc.com> wrote:
> On 4/26/20 8:39 PM, Matt Palmer wrote:
> > On Sun, Apr 26, 2020 at 05:10:56PM -0700, Michael Thomas wrote:
> >> Which exactly zero deployment. And you need to store the plain-text password
> >> on the server side. What could possibly go wrong?
> > But you said that *passwords on the wire* were the biggest problem.  Digest
> > auth solves that.  Also, you don't have to store the plain-text password.

Correct. You need only store the realm/user/password digest. The chief
problem with digest authentication is that the web site has no control
over the UI. Among the many issues, this makes it tricky to reliably
capture a digest in the first place without the server at least
briefly knowing the password. I don't know if webauthn corrects this
or makes similar blunders.

> You clearly know everything, while Steven, Paul, myself and the
> collective wisdom of w3c know nothing, so I'm out.

Respectfully, if you didn't know that http digest authentication
doesn't require server-side password storage, and more importantly
don't simply admit it now that you've been informed, how trustworthy
can your understanding of web authentication be?

I can't speak to Steven, Paul, the w3c or any other non-posters to
this thread that you wish to employ in an appeal to authority fallacy
but with due respect, I think you hold a myopic view of network
security. For better or worse, security is a zero-sum game. The budget
stays proportional to the value of the asset being protected. When you
spend it on low-impact improvements you don't have it for the many
improvements with a higher impact than whether a web site knows the
password you chose for that web site.

Bill Herrin

William Herrin
bill at herrin.us