Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

[The Register] TLS Isn't Up To The Job Without Better Credential Protection Says RFC

Industry news items concerning VPNs, darknets, crypto, surveillance and secure computing.
User avatar

Topic Author
parityboy
Site Admin
Posts: 1281
Joined: Wed Feb 05, 2014 3:47 am

[The Register] TLS Isn't Up To The Job Without Better Credential Protection Says RFC

Postby parityboy » Tue Mar 15, 2016 5:58 pm

While TLS protects plaintext passwords handed to servers over HTTPS, the RFC's author Alexey Melnikov (also a co-author of the previous RFC) wants to see it made more robust with a challenge-response mechanism.

There is one, the HTTP Digest challenge-response mechanism, but Melnikov says it “failed widespread deployment and has had only limited success”. That complexity made it hard to protect “the whole authentication exchange”, Melnikov writes, leaving some exchanges vulnerable to some man-in-the-middle attacks.

Enter SCRAM, the Salted Challenge Response Authentication Mechanism. Originally developed in 2010 as RFC-5802, Melnikov's current document describes how it could be added to HTTP exchanges.

One thing on Melnikov's mind is to avoid the kinds of breaches that have been all-too-common this decade: with salting added to the client-server exchange, he says SCRAM can prevent user impersonation resulting from leaked credentials.


Source

Return to “crypto, VPN & security news”

Who is online

Users browsing this forum: No registered users and 16 guests

cron

Login