IPP Mail Archive: IPP> FW: PC Week Web server security spec gaining support

IPP> FW: PC Week Web server security spec gaining support

Manros, Carl-Uno B (cmanros@cp10.es.xerox.com)
Tue, 29 Jun 1999 10:00:33 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Shepherd, Michael: "RE: IPP> NOT - Requirements not met by the 5/18 Notification spec"
Previous message: Larry Masinter: "IPP> comments on "requirements for IPP notifications""

FYI,

Carl-Uno

-----Original Message-----
From: Carl-Uno Manros [mailto:carl@manros.com]
Sent: Monday, June 28, 1999 8:35 PM
To: manros@cp10.es.xerox.com
Subject: PC Week Web server security spec gaining support

_____

<http://www.zdnet.com/> ZDNet.com
<http://members.zdnet.com/register/register.cgi> Free membership!
<http://www.zdnet.com/graphics/clear.gif>
<http://www.zdnet.com/graphics/nav/yellow_arrow2.gif> Pick a site
or topic: ************ Topic Finder Game Finder Company Finder ZDNet Home
ZDNet Search My ZDNet Free Newsletters -------------------- AnchorDesk At
Home Benchmarks Community computershopper.com DevHead E-Business Enterprise
Equip Events FamilyPC GameSpot Help! Inter@ctive Investor Inter@ctive Week
jobEngine Linux Mac MacWEEK Macworld Magazine Archive On Air PC Computing PC
Magazine PC Week Products Small Business Sm@rt Reseller Software Library
Windows Yahoo! Internet Life ZD Journals ZDNet Home ZDNN ZD Rewards ZDTV ZDU
ZDY2K.com
<http://www.zdnet.com/graphics/clear.gif>
<http://www.zdnet.com/products/> Reviews | <http://www.zdnet.com/zdnn/>
News | <http://www.hotfiles.com/> Downloads |
<http://www.zdnet.com/computershopper/> Shop |
<http://www.zdnetauctions.com> Auctions
<http://ads2.zdnet.com/adverts/imp/dotclear.gif?g=r629&c=a23548&idx=56>

<http://www.zdnet.com/graphics/clear.gif>

<http://ads2.zdnet.com/adverts/nph-ct/r005/c05426/a20965/ads02.focalink.com/
SmartBanner/page?1285.3> Intraware
<http://ads2.zdnet.com/adverts/imp/dotclear.gif?g=r005&c=a20965&idx=93062705
6> <http://gserv.zdnet.com/clear/ns.gif?a20965+930627056+r005+rh=novar>

Search
<http://www.zdnet.com/graphics/clear.gif>

<http://www.zdnet.com/graphics/clear.gif>

<http://www.zdnet.com/graphics/clear.gif>
<http://www.zdnet.com/graphics/clear.gif>

Topics
* Java <http://www.zdnet.com/pcweek/filters/java/>
* Linux <http://www.zdnet.com/pcweek/filters/linux/>
* Microsoft-DOJ <http://www.zdnet.com/pcweek/filters/msdoj>

<http://ads2.zdnet.com/adverts/imp/dotclear.gif?g=r464&c=a24922&idx=1999.06.
28.23.30.56>

<http://images.zdnet.com/adverts/imp/templates/macro/click_here.gif>

<http://ads2.zdnet.com/adverts/nph-ct/r464/c06654/a24922/ads.x10.com/?bHpkbm
V0bWFjcm8uY29tLmRhd===1999.06.28.23.30.56> X10.com - The SuperSite for Home
Automation!
<http://images.zdnet.com/adverts/imp/templates/macro/advertisement.gif>

<http://ads2.zdnet.com/adverts/imp/dotclear.gif?g=r482&c=a21470&idx=1999.06.
28.23.30.56>
<http://ads2.zdnet.com/adverts/nph-ct/r482/c03695/a21470/www.etrade.com/cgi-
bin/gx.cgi/AppLogic+Home?SOURCE=COBRA3> Free real-time quotes for E*TRADE(R)
customers. Click Here.

<http://www.zdnet.com/graphics/clear.gif>
PC Week News <http://www.zdnet.com/pcweek/graphics/news_story.gif>
<http://www.zdnet.com/graphics/clear.gif>

Web server security spec gaining support
By Scot Petersen and Jim Kerstetter, PC Week Online
June 28, 1999 9:00 AM ET

A security specification garnering the attention of users and vendors
promises to improve Web server defenses and reduce encryption loads.

The Internet Engineering Task Force published the latest version of the
HTTP/1.1 Message Digest Authentication spec this month. The technology
protects Web servers with an RSA Data Security Inc. MD5 "hash" algorithm
method, ensuring that passwords--which hackers and sniffer software now can
detect fairly easily--can't be deciphered.

Digest Authentication also will allow site managers to be more selective in
their use of encryption and enable them to limit SSL (Secure Sockets Layer)
sessions to data that truly needs to be protected. SSL sessions are
processor-intensive and, as a result, can slow down servers.

"Today all you really have is a clear-text challenge response. It's easy to
hack into or crack," said Peter Mellquist, architect in the network
peripheral solutions division of Hewlett-Packard Co., in Roseville, Calif.
"When authentication occurs and moves across the wire, anyone can pick that
up. [Digest Authentication] moves as a hash of the password and user name,
which is not discernible."

HP is supporting Digest Authentication in its line of Internet-enabled
printers. The company will use Agranat Systems Inc.'s EmWeb 5.1 embedded Web
server engine, which will ship this week with added support for the newest
version of the security specification.

Microsoft Corp. also is supporting the technology in Internet Explorer 5.0
and the forthcoming Internet Information Server 5.0, which will ship as part
of Windows 2000 later this year.

The only thing stopping widespread adoption of the spec is support across
all browsers and servers.

"Our Apache server [Version 1.3.6] already supports Digest Authentication,"
said Stefan Winz, director of commerce technology at TheStreet.com, in New
York. "The problem is there's been no support for it on [all] browsers. If
they did, we'd definitely think about using it."

Netscape Communications Corp., in Mountain View, Calif., does not support
Digest Authentication in its browsers and Web servers. While officials
declined to offer an explanation, sources said Netscape has been reluctant
to support the technology because developers are concerned that it leaves
password databases vulnerable to attack on Web servers.

Digest Authentication was created more than two years ago, but the IETF
recently added corrections that make the specification easier to implement,
said Scott Lawrence, director of research and development at Agranat, of
Maynard, Mass., and a co-author of the specification.

What it does not do is encrypt traffic. It merely hides passwords. Still,
for sites that use SSL encryption--often when they don't really need
to--password hashing could lead to better use of encryption and less overall
loads on servers.

When users of BMG Direct Inc., in New York, want to protect their passwords,
for example, they must establish an SSL connection, said Elizabeth Rose,
vice president of strategic development and e-commerce.

"Much of that information doesn't really need to be encrypted," Rose said,
"but we still give them that option."

How Message Digest Authentication works
<http://www.zdnet.com/pcweek/graphics/28messagedia.gif>

<http://www.zdnet.com/graphics/clear.gif>

<http://www.zdnet.com/graphics/clear.gif> Top Stories
<http://www.zdnet.com/pcweek/graphics/topstory_head.gif>
Open <http://www.zdnet.com/pcweek/stories/news/0,4153,408285,00.html>
source: Innocence lost?

Linux, <http://www.zdnet.com/pcweek/stories/news/0,4153,1015266,00.html> NT
square off in rematch

CMGI investment
<http://www.zdnet.com/pcweek/stories/news/0,4153,408288,00.html> looms over
AltaVista face lift

PC <http://www.zdnet.com/pcweek/stories/news/0,4153,1015256,00.html>
picture looking a little rosier

Will Microsoft
<http://www.zdnet.com/pcweek/stories/news/0,4153,2283342,00.html> 'Open Up'?

<http://www.zdnet.com/pcweek/filters/sendmail/> Send e-mail to PC Week
<http://cgi.zdnet.com/cgi-bin/mail2afriend.fcgi?t=pcweek>
<http://www.zdnet.com/pcweek/stories/printme/0,4235,408287,00.html>

<http://www.zdnet.com/pcweek/graphics/related_head.gif>
Security
<http://www.zdnet.com/devhead/stories/articles/0,4413,2222590,00.html>

<http://www.zdnet.com/graphics/clear.gif>

News, Financials, Products

<http://www.zdnet.com/graphics/clear.gif>
<http://www.zdnet.com/graphics/clear.gif>

<http://www.zdnet.com/graphics/clear.gif>

<http://www.zdnet.com/graphics/clear.gif>
<http://www.zdnet.com/graphics/clear.gif>
<http://www.zdnet.com/graphics/clear.gif>

<http://www.zdnet.com/graphics/clear.gif>
<http://www.zdnet.com/graphics/clear.gif>
PC WEEK INBOX
Get the top PC Week headlines by e-mail every day.
It's free!
<http://www.zdnet.com/graphics/clear.gif>
Text HTML
<http://www.zdnet.com/graphics/clear.gif>

<http://www.zdnet.com/graphics/clear.gif>

<http://www.zdnet.com/graphics/clear.gif>
<http://www.zdnet.com/graphics/clear.gif>

<http://www.zdnet.com/graphics/clear.gif>

<http://www.zdnet.com/graphics/clear.gif>

Sponsored Links

<http://ads2.zdnet.com/adverts/imp/dotclear.gif?g=r441&c=a24371-a24830-a2135
4-a13934-a25833-a25050-a25360-a21478-a24181-a25488>
E*TRADE Learn
<http://ads2.zdnet.com/adverts/nph-ct/r441/c04012/a24371/www.etrade.com/cgi-
bin/gx.cgi/AppLogic%2bHome?SOURCE=COBRA3> what Wall Street says about what's
hot-FREE!
Download Customize
<http://ads2.zdnet.com/adverts/nph-ct/r441/c06641/a24830/hotfiles.zdnet.com/
cgi-bin/texis/swlib/hotfiles/info.html?fcode=000M6C&b=> your view of the Web
- Free!
Resellers Questions
<http://ads2.zdnet.com/adverts/nph-ct/r441/c05380/a21354/ads2.zdnet.com/adve
rts/micro/quantum/access/> about storage? Visit the Quantum Access site!

Very Cool
<http://ads2.zdnet.com/adverts/nph-ct/r441/c03680/a13934/www.x10.com/home/of
fer.cgi?~ZDNetLink> Wired Home Intro Kit - X10.com
Books Great
<http://ads2.zdnet.com/adverts/nph-ct/r441/c05509/a25833/bn.bfast.com/bookli
nk/click?sourceid=478783&categoryid=under1> Books for $1, while supplies
last!
Best PCs Get
<http://ads2.zdnet.com/adverts/nph-ct/r441/c06679/a25050/www.micronpc.com/pc
text/zd> a great PC for your money. 500 MHz, $1,699!
<http://www.zdnet.com/graphics/clear.gif>
ZDNet Featured Links
<http://www.zdnet.com/graphics/clear.gif>
Freebies 50
<http://ads2.zdnet.com/adverts/nph-ct/r441/c03674/a25360/www.zdnet.com/swlib
/hotfiles/free50.html> FREE downloads - utilities, screen savers and more!

Shop Smart Compare
<http://ads2.zdnet.com/adverts/nph-ct/r441/c03674/a21478/www.computershopper
.com> prices on over 7,000 computer products & save
Downloads Enhance
<http://ads2.zdnet.com/adverts/nph-ct/r441/c03674/a24181/www.zdnet.com/feeds
/intel/jump.html> your Web browsing with ZDNet's Plug-in Guide
<http://www.zdnet.com/graphics/clear.gif>
Magazine Offers
<http://www.zdnet.com/graphics/clear.gif>
Software Get
<http://ads2.zdnet.com/adverts/nph-ct/r441/c04870/a25488/https:/www.zdnet.co
m/zdsubs/familypc/offer.html> a FREE CD-ROM from FamilyPC magazine
<http://www.zdnet.com/graphics/clear.gif>

<http://www.zdnet.com/graphics/clear.gif>
<http://www.zdnet.com/> HOME |
<http://members.zdnet.com/register/register.cgi> FREE MEMBERSHIP |
<http://www.zdnet.com/cc/contact.html> CONTACT ZD |
<http://www.zdnet.com/adverts/adinfo/> AD INFO | <http://www.zd.com/>
ZIFF-DAVIS
<http://www.zdnet.com/graphics/clear.gif>

Use of ZDNet is subject to certain Terms
<http://www.zdnet.com/findit/terms.html> & Conditions.
Please read ZDNet's Privacy <http://www.zdnet.com/findit/privacy.html>
Statement (reviewed by TRUSTe
<http://chkpt.zdnet.com/chkpt/hpqs017/www.truste.org/> ).

Copyright (c) 1999 ZDNet <http://www.zdnet.com/> . All rights reserved.
Reproduction in whole or in part in any form or medium without express
written permission of ZDNet is prohibited. ZDNet and the ZDNet logo are
trademarks of Ziff-Davis Inc.

Next message: Shepherd, Michael: "RE: IPP> NOT - Requirements not met by the 5/18 Notification spec"
Previous message: Larry Masinter: "IPP> comments on "requirements for IPP notifications""