[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: mod_auth_kerb and Heimdal KDC

>Just a remark to SSL:
>The Microsoft draft (which the Mozilla+Apache patches are based on) specifies
>only mechanims for authentication. Some another method (e.g. SSL) must be used 
>to ensure integrity control of transmitted HTTP messages. Otherwise, a
>malicious user would be able to copy an Authorization header (comming from a
>valid user) and past it to another message.

I sure hope your Kerberos implementation includes a replay cache ... if it
does, then this can't happen.