MD5 Collisions and Cached Authentcation (was: Improving gpg-agent support)

From: Ben Reser <ben_at_reser.org>
Date: Thu, 05 Jun 2014 23:29:44 -0700

On 6/5/14, 6:16 PM, Bert Huijben wrote:
> Do we make sure that we only send the password to an exact match of the realm?
> Otherwise somebody might be able to theoretically steal passwords by using a
> special realm string on a completely different server.

Moving this to private.

Trunk has code to protect against that. You wrote it in December:
http://svn.apache.org/r1550691
http://svn.apache.org/r1550772

Older versions don't. We should probably fix that given that MD5 collisions
are possible to engineer. See:
http://www.mscs.dal.ca/~selinger/md5collision/

You'd have to convince someone's SVN client to connect to some other server
that you controlled, but that's not impossible with some social engineering.

I think we should treat the above changes as something that should be
backported to 1.7/1.8 as a security fix.

Any other opinions?
Received on 2014-06-06 08:30:20 CEST

This message: [ Message body ]
Next message: Mattias Engdegård: "Re: [PATCH] generate subversion.pot in dist.sh"
Previous message: Ben Reser: "Re: Improving gpg-agent support"
In reply to: Bert Huijben: "Re: Improving gpg-agent support"
Next in thread: Ben Reser: "Re: Improving gpg-agent support"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]