[wildfly-dev] Removing curl support from management HTTP
Radoslaw Rodak
rodakr at gmx.ch
Wed Jan 8 16:24:51 EST 2014
Hi
It starts to be interesting :-)
Whats about hash length extension attack...
https://blog.whitehatsec.com/hash-length-extension-attacks/
Cheers Radek
Am 08.01.2014 um 21:54 schrieb Jason Greene <jason.greene at redhat.com>:
>
> On Jan 8, 2014, at 2:00 PM, Aleksandar Kostadinov <akostadi at redhat.com> wrote:
>
>> I'm not sure what other auth mechanism you are talking about. There
>> might be something new and very elaborated.
>
> Just a SHA based digest vs an MD5 one
>
>>
>> But the problem with non-encrypted connections is that any hash could be
>> used without the need to recover the plain text password. With cookies,
>> one can sniff and use them.
>
> That’s not true. Digest is a challenge response protocol that uses a nonce as part of the sent hash. A packet sniffed hash can’t be replayed.
>
> --
> Jason T. Greene
> WildFly Lead / JBoss EAP Platform Architect
> JBoss, a division of Red Hat
>
>
> _______________________________________________
> wildfly-dev mailing list
> wildfly-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/wildfly-dev
More information about the wildfly-dev
mailing list