[Rets-dev] Username/Password and security policies
Stuart Schuessler
sschuessler at tds.net
Fri Mar 9 17:23:04 CST 2007
>>How are client authentication passwords really any less easy to fake?
How can you fake the client authentication?
a1 ::= MD5( product : UserAgent-Password )
ua-digest-response::= HEX( MD5( HEX(a1): RETS-Request-ID : session-id :
version-info))
I suppose if the RETS-Request-ID and session-id were empty then it would
always be the same hash, but if it is implemented correctly it would be
difficult to fake. How would you do it?
Stuart
-----Original Message-----
From: Jeff Brush [mailto:jeffbrush at hotmail.com]
Sent: Friday, March 09, 2007 4:07 PM
To: 'Stuart Schuessler'; 'Colby Ackerfield'; rets-dev at rets.org
Subject: RE: [Rets-dev] Username/Password and security policies
Stuart Schuessler wrote:
> You probably would want to implement the client authentication as well.
> Just checking the user-agent is easy to fake. A person can do it with
firefox. If
> you do not implement the client authentication then anyone with a login
to the MLS
> system and access privileges can download your entire database and sell
it to a
> moving company or any number of data aggregators.
How are client authentication passwords really any less easy to fake?
And how does client authentication prevent the user from selling the data?
At best, client authentication (the RETS-UA-Authorization header in RETS
1.7) provides a method for MLSs to limit which client applications may
access their systems.
Jeff Brush
Ronin Technologies
More information about the Rets-dev
mailing list