[prev in list] [next in list] [prev in thread] [next in thread]
List: httpclient-commons-dev
Subject: Re: use of MD5 and security violations
From: Oleg Kalnichevski <olegk () apache ! org>
Date: 2008-10-28 15:13:39
Message-ID: 1225206819.6034.14.camel () ubuntu
[Download RAW message or body]
On Sat, 2008-10-25 at 13:33 +0200, Oleg Kalnichevski wrote:
> On Fri, 2008-10-24 at 13:45 +0100, sebb wrote:
> > On 24/10/2008, Lovette, Steve <steve.lovette@lmco.com> wrote:
> > > Sebbaz
> > > From what I have read the use of algorithms that have been shown to be
> > > breakable become unacceptable. There is literature on the web about
> > > this. From reading the government NIST web site and the government STIGs
> > > that recommend only the SHA-x algorithms to be used in sensitive
> > > applications. MD5 is not a government approved algorithm to be used in
> > > hashing functions where encryption is involved.
> >
> > OK, but so what?
> >
> > > That said your point about HTTP client may well be the best counter
> > > point. Since HTTP client runs on the client and the client is always
> > > suspect then perhaps this is a sufficient argument.
> >
> > I think you still misunderstand what HC is for.
> >
> > It is irrelevant where HC runs; the point is that it is a client
> > library, i.e. it talks to servers.
> >
> > If the server needs MD5 for something, then HC will use that.
> > HC does not use MD5 for its own purposes.
> >
>
> Sebastian, et al
>
> I took a brief look at the DIGEST authentication scheme implementation
> in HttpClient 4.0 and it appears HttpClient will reject a challenge
> unless the specified digest algorithm is either MD5 or MD5-sess. As far
> as I can tell these are two algorithms mentioned in RFC 2617. There is
> no mentioning of SHA-x algorithms in the spec. However, it would
> certainly make sense to ensure HttpClient can support alternative
> digests, if the server requests an algorithm other than MD5 or MD5-sess.
>
> Steve,
>
> If you think the present implementation of DIGEST authentication is not
> secure enough, feel free to open a JIRA for this issue
>
> https://issues.apache.org/jira/browse/HTTPCLIENT
>
> Oleg
>
DigestScheme can now use an arbitrary digest algorithm requested by the
target server (such SHA) as long as that algorithm is supported by the
Java runtime
Oleg
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
> For additional commands, e-mail: dev-help@hc.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic