Re: Our friend FTP, again

[Matthew Patton <patton () sysnet net>]

> > HTTP lacks reliable OTP implementation,
>
> That's because of the above... Lots of protocols have this problem, FTP
> isn't one of them.  HTTP needs to add a OTP flag, and a short-lived cookie
> needs to be set to authenticate after the first time.

Hmm, why didn't I think of that? Though some people block cookies. Could
make it a cookie equivalent. Basically a URL segment (or form variable)
that gets sent every time and say expires in 5 minutes. HTTP for those who
don't care, HTTPS for those with say, reusable passwords.

example Scenario:

 http[s]://user:password(s/key?)/rest_of_url
   or
 fill in dialog box with username/password, preferably OTP unless SSL.

 If a directory listing, and authenticated each url would have the 'auth'
bit tacked on:
  filename.txt?auth=base64_encoded_auth_token

So how do you stop a reply attack? If we dont' use HTTPS I guess we can't.
At least I can't think of any workable solution.

Have the SecureID or other OTP guys done anything with this?

--------
OpenBSD - Because security matters... (http://www.openbsd.org/)

"Bill Clinton has acted for the past year on his deepest beliefs: that Law
 is merely politics, that the truth is merely spin, that an oath is merely
 rhetoric, that justice is merely power. These doctrins...corrupt us and
 degrade our constitutional order in a profound way."
  - William Kristol (Newsweek)