william(at)elan.net wrote:
On Tue, 16 Aug 2005, Tony Finch wrote:
On Tue, 16 Aug 2005, Frank Ellermann wrote:
There's no way to get the password by "watching" CRAM-MD5 or
similar SASL mechanisms. Also no realistic dictionary attack.
CRAM-MD5 is susceptible to a passive offline dictionary attack, i.e. you
can listen to a CRAM-MD5 exchange and get enough data to verify a
correctly guessed password without actively asking the server.
http://www.iab.org/documents/drafts/draft-iab-auth-mech-03.txt
That is correct. CRAM-M5 and DIGEST-MD5 are not considered (no longer
considered) to be good authentication methods when used across the
Internet. However generally speaking they are good enough for use
on local LAN and within same corporate network (unless your corporate
network is so bad you're afraid of man-in-the-middle attacks on it,
but in that case you have much worse things to be worried about)
I suppose TLS would solve the problem, but then you might as well use
Plain or even Login. Right?
Scott K