[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: proxy authentication

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>, <lukeh@PADL.COM>
Subject: RE: proxy authentication
From: "Howard Chu" <hyc@highlandsun.com>
Date: Sun, 16 Jun 2002 17:06:06 -0700
Cc: <openldap-devel@OpenLDAP.org>
Importance: Normal
In-reply-to: <5.1.0.14.0.20020616165651.0248d8c8@127.0.0.1>

> -----Original Message-----
> From: owner-openldap-devel@OpenLDAP.org
> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Kurt D. Zeilenga

> At 04:54 PM 2002-06-16, Luke Howard wrote:
>
> >>This is basically the same as passing through the SASL
> >>bind request/responses EXCEPT the authenticating server
> >>knows it [is] doing [it] for the middle box and hence can prepare
> >>a response which can be relayed to the end client.
> >
> >In what cases would this be necessary?
>
> Any mechanism with man-in-the-middle protection... e.g. DIGEST-MD5.

No part of the DIGEST-MD5 exchange is dependent on the individual machines
in the transaction. As such, DIGEST-MD5 has no man-in-the-middle protection.
Also see http://www.ietf.org/rfc/rfc2831.txt section 3.6 which states

   Digest authentication is vulnerable to "man in the middle" (MITM)
   attacks.

The only way to defend against this is to secure the channel between the
authenticating server and the proxy.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

Follow-Ups:
- RE: proxy authentication
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- Re: proxy authentication
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: proxy authentication
Next by Date: RE: proxy authentication
Index(es):
- Chronological
- Thread