Re: [wildfly-dev] Removing curl support from management HTTP

Hi It starts to be interesting :-) Whats about hash length extension attack... https://blog.whitehatsec.com/hash-length-extension-attacks/ Cheers Radek Am 08.01.2014 um 21:54 schrieb Jason Greene <jason.greene(a)redhat.com&gt;: > > On Jan 8, 2014, at 2:00 PM, Aleksandar Kostadinov <akostadi(a)redhat.com&gt; wrote: > >> I'm not sure what other auth mechanism you are talking about. There >> might be something new and very elaborated. > > Just a SHA based digest vs an MD5 one > >> >> But the problem with non-encrypted connections is that any hash could be >> used without the need to recover the plain text password. With cookies, >> one can sniff and use them. > > That’s not true. Digest is a challenge response protocol that uses a nonce as part of the sent hash. A packet sniffed hash can’t be replayed. > > -- > Jason T. Greene > WildFly Lead / JBoss EAP Platform Architect > JBoss, a division of Red Hat > > > _______________________________________________ > wildfly-dev mailing list > wildfly-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/wildfly-dev