[Twisted-Python] Something strange about cred

Stephen Waterbury waterbug at pangalactic.us
Thu Feb 8 22:01:02 EST 2007 

David Reid wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> On Feb 8, 2007, at 2:51 PM, Stephen Waterbury wrote:
> 
>> Jean-Paul Calderone wrote:
>>> ... I think the main problem you're
>>> running into is that HTTP digest authentication is being used  ...
>>
>> *So* (for anybody still listening ;) I finally figured out the
>> implication of Jp's comment:  all I had to do was remove the
>> digest.DigestCredentialFactory('md5', 'My Realm') factory
>> instance from HTTPAuthResource's list of credentialFactories
>> and bingo, we're in basic auth mode and my checker works
>> with the web2 auth example -- yay!
> 
> Why doesn't your DB Checker just support both interfaces? 
> IUsernamePassword, and IUsernameHashedPassword,
> doing the right thing depending on the interface provided by the 
> credentials input.  Or, do the same thing regardless, because they 
> provide compatible checkPassword interfaces.  You'd have to read the 
> password from the DB here, but I don't see why that should concern you.  
> And the ability to use Digest auth would provide all around better 
> security.

Thanks, David, but for my application it isn't useful.  IMNSHO, digest
auth only gives an illusion of good security -- it's encrypted, right? 
But I regard it as a waste of time, and the time that I have to work
on the actual logic of my application is in short supply as it is.

Digest auth was invented in 1993, well before widespread open source
implementation of strong asymmetric key technologies, and digest auth
is a technology that can be broken by determined hackers.  I don't
intend to bother with it -- especially since good transport layer
encryption technology is now quite easy to use.

I prefer to exclude digest auth completely from any of my applications,
as I am campaigning against its use.

>> That wasn't obvious to me from HTTPAuthResource's doc
>> string nor from the example docs, but arguably I should have
>> guessed it (sooner).
> 
>> Anyway, I'm happy now -- thanks, web2 team!
> 
> You're welcome, sorry I didn't get a chance to chime in on this
> discussion earlier.

Yes, it would have saved me half a day off-and-on of head-scratching.

>> Death to HTTP digest authentication!
> 
> I don't know, I definitely prefer digest authentication[1] to sending
> my password in plaintext[2]

I use either plaintext basic auth (if the need is only for user
identification, not security) or transport layer asymmetric key
encryption (if the resource needs security).  If it needs security,
it needs real security, and since twisted makes transport layer
asymmetric key encryption (e.g., openssl) quite easy to use, the
only reason I can see for bothering with digest auth is if you
have either some legacy stuff that needs it (which I don't) or
a pointy-haired boss who insists on it (time to look for another
job! ... but one doesn't always have that opportunity, of course).
There might be other use-cases, but I have surrounded them with
a Somebody Else's Problem Field, so they are invisible to me.  ;)

Thanks for all your good work on web2 -- it is appreciated!  :)

Cheers,
Steve

More information about the Twisted-Python mailing list