[wildfly-dev] Removing curl support from management HTTP
Jason Greene
jason.greene at redhat.com
Wed Jan 8 16:55:29 EST 2014
That’s an attack against a signature where you know the content and the length of the secret. In a challenge response protocol this information is not known.
On Jan 8, 2014, at 3:24 PM, Radoslaw Rodak <rodakr at gmx.ch> wrote:
> Hi
>
> It starts to be interesting :-)
> Whats about hash length extension attack...
>
> https://blog.whitehatsec.com/hash-length-extension-attacks/
>
> Cheers Radek
>
>
> Am 08.01.2014 um 21:54 schrieb Jason Greene <jason.greene at redhat.com>:
>
>>
>> On Jan 8, 2014, at 2:00 PM, Aleksandar Kostadinov <akostadi at redhat.com> wrote:
>>
>>> I'm not sure what other auth mechanism you are talking about. There
>>> might be something new and very elaborated.
>>
>> Just a SHA based digest vs an MD5 one
>>
>>>
>>> But the problem with non-encrypted connections is that any hash could be
>>> used without the need to recover the plain text password. With cookies,
>>> one can sniff and use them.
>>
>> That’s not true. Digest is a challenge response protocol that uses a nonce as part of the sent hash. A packet sniffed hash can’t be replayed.
>>
>> --
>> Jason T. Greene
>> WildFly Lead / JBoss EAP Platform Architect
>> JBoss, a division of Red Hat
>>
>>
>> _______________________________________________
>> wildfly-dev mailing list
>> wildfly-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/wildfly-dev
>
--
Jason T. Greene
WildFly Lead / JBoss EAP Platform Architect
JBoss, a division of Red Hat
More information about the wildfly-dev
mailing list