Re: Insecure WWW Access Authorization Protocol?

Tony Sanders <sanders@BSDI.COM>
Errors-To: listmaster@www0.cern.ch
Date: Wed, 9 Mar 1994 21:11:22 --100
Message-id: <199403092003.OAA03170@austin.BSDI.COM>
Errors-To: listmaster@www0.cern.ch
Reply-To: sanders@BSDI.COM
Originator: www-talk@info.cern.ch
Sender: www-talk@www0.cern.ch
Precedence: bulk
From: Tony Sanders <sanders@BSDI.COM>
To: Multiple recipients of list <www-talk@www0.cern.ch>
Subject: Re: Insecure WWW Access Authorization Protocol? 
X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas
Content-Length: 685
michael shiplett <michael.shiplett@umich.edu> writes:
>  2) Mallet intercepts the request and sends to Alice:
>         401 Unauthorized
>         Authenticate: KerberosV4 "http.mallet.evil.com@EVIL.COM"
>     This is the critical step, because Mallet is able to control to
>     which service Alice should authenticate herself.

Would someone please explain to me why a user would enter a password
at a prompt that read: "http.mallet.evil.com@EVIL.COM" (or anything
thing else they didn't recoginze?

Wouldn't they have to have a password for that realm and don't you
think they might think "gee, I don't have a password for that
realm".

What's missing from this picture?

--sanders