It starts to be interesting :-)
Whats about hash length extension attack...
Am 08.01.2014 um 21:54 schrieb Jason Greene <jason.greene(a)redhat.com>:
On Jan 8, 2014, at 2:00 PM, Aleksandar Kostadinov <akostadi(a)redhat.com> wrote:
> I'm not sure what other auth mechanism you are talking about. There
> might be something new and very elaborated.
Just a SHA based digest vs an MD5 one
> But the problem with non-encrypted connections is that any hash could be
> used without the need to recover the plain text password. With cookies,
> one can sniff and use them.
That’s not true. Digest is a challenge response protocol that uses a nonce as part of the
sent hash. A packet sniffed hash can’t be replayed.
Jason T. Greene
WildFly Lead / JBoss EAP Platform Architect
JBoss, a division of Red Hat
wildfly-dev mailing list