-
Task
-
Resolution: Unresolved
-
Normal
-
None
-
None
-
None
A web service user wanting to access user-private data (tags, ratings, collections) may authenticate via HTTP Digest or via OAuth. Having the former option affects account security negatively, in two ways:
- Clients need to know the password.
- In order to support HTTP Digest auth, the server is forced to store the ha1 value, which is essentially an MD5 hash of the password (with the user name as “salt”). MD5 is mostly broken – hashes can be calculated very quickly on modern computers (GPUs in particular), and there is a fast chosen-prefix collision attack rendering the “salt” mostly useless. Consequently, storing ha1 is almost as bad as storing plaintext passwords today.
We should therefore deprecate the HTTP Digest auth method for the web service and remove it at a flag day in the (not too distant) future; clients should use OAuth instead. After that, the ha1 value can be removed from the database.
- depends on
-
MOBILE-45 Switch to using OAuth 2 for logging in
- Closed
-
LMB-50 Support OAuth 2 for authentication
- Open
-
PICARD-615 Picard should use OAuth for authentication
- Closed
- has related issue
-
MBS-9209 Allow individual users to opt out of HTTP Digest auth
- Open
-
MBS-11093 Allow Basic HTTP authentication in the web service
- Open
- is related to
-
MBS-357 Don't store passwords in clear text
- Closed
- resolves
-
MBS-9384 Digest authentication fails for accounts where the username has been changed
- Open
-
MBS-8334 Digest auth with username containing non-ascii characters fails
- Closed