From: stillson@ashd.com (Chris Stillson)
Date: Wed, 10 Apr 1996 14:44:53 +0800
To: cypherpunks@toad.com
Subject: Re: WWW User authentication
Message-ID: <199604092100.QAA21158@bach.ashd.com>
MIME-Version: 1.0
Content-Type: text/plain


At 11:58 4/9/96 -0400, Jeff Barber wrote:
>Brian C. Lane writes:
>
>>   I just finished writing a cgi script to allow users to change their login
>> passwords via a webpage. I currently have the webpage being authenticated
>> with the basic option (uuencoded plaintext). MD5 would be nicer, but how
>> many browsers actually support it?
>
>AFAIK, none.  I don't see how this would be helpful anyway.  If you 
>MD5 the password, I won't be able to snoop the password off the wire,
>but I can simply snoop the MD5 hash off the wire instead and since 
>that's what your authentication check must now be against, what does
>this buy you?
>
>

Well, that isn't exactly how digest authentication works.
In fact mister barber should figure out what he is talking about
before saying anything.  But, you can't really use a hash function
to send the new password.  


>>   When the user changes their password, the form sends their name, old
>> password, and new password with it, in the clear. This is no worse than
>> changing your password across a telnet connection, but I'd like it to be
>> more secure, but useable by a large number of browsers.
>> 
>>   Any advice?
>
>Well, if you use SSL, it's useable by a "large number of browsers" since
>Netscape has such a large share of the browser market.  And then all of
>the things you're doing w.r.t. authentication are hidden, at least from
>casual eavesdroppers and others too if you use more than the 40-bit option.
>There's really no other choice to reach a large number of browsers.
>
>
>-- Jeff

Once again mister barber is being an idiot.  netscape is not a "large number
of browsers".  He is right that ssl is probably a good way to go. (shttp would
be better :) )

You might be able to hack something together with java that did some kind of
clever thing, but then you are limited again.

CGI just isn't made for sending secure information.

As far as digest (MD5) authenitcation goes, I know that the spyglass
browser, and most of its derivatives (like m-soft i-net explorer) can use
it.  I know cause I did a lot of the QA on it.  The real problem is finding
a server that supports it.  I don't know if apache or ncsa do, but they
could probably be hacked to do it.  If you download a spyglass server, I
know it works (I did a lot of the early QA on that too ).  

But that probably doesn't  help too much.
You should probaly find something better than the web to do it.

Chris

############################################
Chris Stillson
Chief Rocket Scientist
Resident Web Geek
Hip Young Nerd
Second Rate graphic designer
Unix Guru
In other words, Webmaster
American Software & Hardware Distributors
fluffy@ashd.com
Check out our web site-> http://www.ashd.com
Cause I did it all....
stop the CDA. Check
http://www.eff.org
############################################