From: | Vince Vielhaber <vev(at)michvhf(dot)com> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>, Hannu Krosing <hannu(at)tm(dot)ee>, The Hermit Hacker <scrappy(at)hub(dot)org>, "Sverre H(dot) Huseby" <sverrehu(at)online(dot)no>, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: So we're in agreement.... |
Date: | 2000-05-07 18:45:44 |
Message-ID: | Pine.BSF.4.21.0005071439000.13987-100000@paprika.michvhf.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general pgsql-hackers |
On Sun, 7 May 2000, Tom Lane wrote:
> Vince Vielhaber <vev(at)michvhf(dot)com> writes:
> > My intent was not to send the username, but let the server figure it
> > out by the response.
>
> That would be a neat trick. How will you do it? MD5 is not reversible.
CLIENT: md5(salt_from_server + md5(username + md5(password)))
SERVER: md5(salt_from_server + md5(username + stored_password))
The server runs thru all available usernames using the above algorithm.
> I'm still of the opinion that anyone who is really concerned about
> sniffing attacks ought to be using SSL, because protecting just their
> password and not the data that will be exchanged later in the session is
> unwise. So I'm not really excited about adding anti-sniffing frammishes
> like this one. We've got a good scheme for the password; let's be
> careful about adding "improvements" that won't carry their weight in
> the real world. There's no such thing as a single security scheme that
> addresses every possible vulnerability. Extending one part of your
> security arsenal to partially solve problems that are better solved
> by a different tool is just wasting time.
Agreed.
Vince.
--
==========================================================================
Vince Vielhaber -- KA8CSH email: vev(at)michvhf(dot)com http://www.pop4.net
128K ISDN from $22.00/mo - 56K Dialup from $16.00/mo at Pop4 Networking
Online Campground Directory http://www.camping-usa.com
Online Giftshop Superstore http://www.cloudninegifts.com
==========================================================================
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2000-05-07 19:16:51 | Re: So we're in agreement.... |
Previous Message | Tom Lane | 2000-05-07 17:40:14 | Re: So we're in agreement.... |
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2000-05-07 19:16:51 | Re: So we're in agreement.... |
Previous Message | Tom Lane | 2000-05-07 17:40:14 | Re: So we're in agreement.... |