From: J. J. Horner (jhorner@2jnetworks.com)
Date: Thu May 30 2002 - 14:13:01 EDT
* John_Leitch@NAI.com (John_Leitch@NAI.com) [020530 12:55]:
> Hi,
>
> Thanks for that but the ever changing realm is as follows.....
>
> When a connection is established to the server and you are presented with a
> login prompt the realm is different everytime. Its almost like the server
> has / is using /dev/random to assign the realm so its never the same.
>
I'm not exactly sure how this would work, as a browser must have a Realm/uid/password
trio to successfully authenticate against a server. If the Realm constantly changes,
every authenticated gif, page, or button would request a new uid/password for the new
realm. This would make the website a hassle to use.
More information on this would be useful, as this sounds definitely more dynamic
that is reasonably possible.
If each page were only text and no images, this could work, although it would make
normal browsing impossibly tedious.
If each transaction only requests a .doc or a .pdf, or something similarly self-contained,
the changing Realm won't affect you much, unless you assume that each user has a new uid/password
string for each realm. If each user doesn't have a unique uid/password for each realm,
then there must be some uid/password pairs similar to each realm, and therein lies your
possible brute-force possibility.
Thanks,
JJ
-- J. J. Horner Web Server Security Professional jhorner@2jnetworks.com
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:21 EDT