Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞
Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub Ξ

[The Register] TLS Isn't Up To The Job Without Better Credential Protection Says RFC

Industry news items concerning VPNs, darknets, crypto, surveillance and secure computing.
User avatar

Topic Author
parityboy
Site Admin
Posts: 1085
Joined: Wed Feb 05, 2014 3:47 am

[The Register] TLS Isn't Up To The Job Without Better Credential Protection Says RFC

Postby parityboy » Tue Mar 15, 2016 5:58 pm

While TLS protects plaintext passwords handed to servers over HTTPS, the RFC's author Alexey Melnikov (also a co-author of the previous RFC) wants to see it made more robust with a challenge-response mechanism.

There is one, the HTTP Digest challenge-response mechanism, but Melnikov says it “failed widespread deployment and has had only limited success”. That complexity made it hard to protect “the whole authentication exchange”, Melnikov writes, leaving some exchanges vulnerable to some man-in-the-middle attacks.

Enter SCRAM, the Salted Challenge Response Authentication Mechanism. Originally developed in 2010 as RFC-5802, Melnikov's current document describes how it could be added to HTTP exchanges.

One thing on Melnikov's mind is to avoid the kinds of breaches that have been all-too-common this decade: with salting added to the client-server exchange, he says SCRAM can prevent user impersonation resulting from leaked credentials.


Source

Return to “crypto, VPN & security news”

Who is online

Users browsing this forum: No registered users and 7 guests

Login