[bind10-dev] Security Mechanism for Cmdctl and Bindctl

Francis Dupont fdupont at isc.org
Mon Jun 14 19:36:32 UTC 2010


> > => "password in plaintext" is not suitable for a security mechanism.
> 
> Francis: I believe this means it is using HTTP/1.0 Authentication 
> instead of RFC 2069 Digest Access Authentication. Either way, it is sent 
> via SSL. Any thoughts on if plain text auth over SSL is not suitable?

=> yes because in encapsulated authentication protocols you need a way
to bind them together to avoid MITM attacks, and this is pretty hard to
do with a password. So I still say "password in plaintext" is bad for
security.

Francis Dupont <fdupont at isc.org>

PS: the draft explaining the issue for PEAP and TTLS is not well known.
(it is draft-puthenkulam-eap-binding-01.txt)
Google gives another ref: http://eprint.iacr.org/2002/163.pdf



More information about the bind10-dev mailing list