Re: Insecure WWW Access Authorization Protocol?

Tony Sanders (sanders@BSDI.COM)
Wed, 9 Mar 1994 21:11:22 --100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Daniel W. Connolly: "Comments on HTTP spec"
Previous message: Paul Crowley: "Re: Insecure WWW Access Authorization Protocol?"
Maybe in reply to: Wayne Allen: "Insecure WWW Access Authorization Protocol?"
Next in thread: michael shiplett: "Re: Insecure WWW Access Authorization Protocol?"

michael shiplett <michael.shiplett@umich.edu> writes:
> 2) Mallet intercepts the request and sends to Alice:
> 401 Unauthorized
> Authenticate: KerberosV4 "http.mallet.evil.com@EVIL.COM"
> This is the critical step, because Mallet is able to control to
> which service Alice should authenticate herself.

Would someone please explain to me why a user would enter a password
at a prompt that read: "http.mallet.evil.com@EVIL.COM" (or anything
thing else they didn't recoginze?

Wouldn't they have to have a password for that realm and don't you
think they might think "gee, I don't have a password for that
realm".

What's missing from this picture?

--sanders

Next message: Daniel W. Connolly: "Comments on HTTP spec"
Previous message: Paul Crowley: "Re: Insecure WWW Access Authorization Protocol?"
Maybe in reply to: Wayne Allen: "Insecure WWW Access Authorization Protocol?"
Next in thread: michael shiplett: "Re: Insecure WWW Access Authorization Protocol?"