We (at Mac OS Forge) are working on an improved infrastructure that will remove the need for digest auth, use SSL, etc. I dont have an ETA for you, but rest assured we know we have plenty of improvements to make site-wide. Thanks. -Bill On Dec 31, 2007, at 3:26 PM, Landon Fuller wrote:
On Dec 25, 2007, at 8:44 AM, Juan Manuel Palacios wrote:
On Dec 25, 2007, at 8:51 AM, js wrote:
Forwarding to macports developers.
---------- Forwarded message ---------- From: js <ebgssth@gmail.com> Date: Dec 25, 2007 12:19 AM Subject: macforge.org via https? To: MacPorts Users <macports-users@lists.macosforge.org>
Hi list,
A simple question.
is there any reason http://www.macosforge.org/wp-login.php is not HTTPS?
Because we use http digest for authentication, not SSL.
But HTTP digest doesn't solve any of the problems that SSL solves: - It is still vulnerable to a MITM attack. Your password is hashed, but the hash is password-equivalent -- an attacker can simply forward it on. - Digest authentication is indistinguishable from Basic authentication -- your browser will display the same dialog regardless of the authentication type.
At best, it will prevent a passive attacker from acquiring your password. Anyone engaging in an active MITM attack will have no difficultly acquiring your password.
-landonf _______________________________________________ macports-dev mailing list macports-dev@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo/macports-dev
---- William Siegrist Software Support Engineer Mac OS Forge http://macosforge.org/ wsiegrist@apple.com 408 862 7337