[MBS-9207] Disallow HTTP Digest authentication - MetaBrainz Tickets

Type: Task
Resolution: Unresolved
Priority: Normal
Fix Version/s: None
Affects Version/s: None
Component/s: Accounts, Web service
Labels:
None

A web service user wanting to access user-private data (tags, ratings, collections) may authenticate via HTTP Digest or via OAuth. Having the former option affects account security negatively, in two ways:

Clients need to know the password.
In order to support HTTP Digest auth, the server is forced to store the ha1 value, which is essentially an MD5 hash of the password (with the user name as “salt”). MD5 is mostly broken – hashes can be calculated very quickly on modern computers (GPUs in particular), and there is a fast chosen-prefix collision attack rendering the “salt” mostly useless. Consequently, storing ha1 is almost as bad as storing plaintext passwords today.

We should therefore deprecate the HTTP Digest auth method for the web service and remove it at a flag day in the (not too distant) future; clients should use OAuth instead. After that, the ha1 value can be removed from the database.

depends on

MOBILE-45 Switch to using OAuth 2 for logging in

Closed

LMB-50 Support OAuth 2 for authentication

Open

PICARD-615 Picard should use OAuth for authentication

Closed

has related issue

MBS-9209 Allow individual users to opt out of HTTP Digest auth

Open

MBS-11093 Allow Basic HTTP authentication in the web service

Open

is related to

MBS-357 Don't store passwords in clear text

Closed

resolves

MBS-9384 Digest authentication fails for accounts where the username has been changed

Open

MBS-8334 Digest auth with username containing non-ascii characters fails

Closed

(1 is related to, 2 resolves)

Loading...

Type: Task
Resolution: Unresolved
Priority: Normal
Fix Version/s: None
Affects Version/s: None
Component/s: Accounts, Web service
Labels:
None