summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--doc/security.xml19
1 files changed, 11 insertions, 8 deletions
diff --git a/doc/security.xml b/doc/security.xml
index 5caeda6..f014276 100644
--- a/doc/security.xml
+++ b/doc/security.xml
@@ -6,8 +6,9 @@
model: use of a malicious HTTP server. Under this threat model, a
range of attacks are possible against a client when the user (or
application) can be tricked into accessing an HTTP server which is
- controlled by an attacker. This section documents the types of
- possible attack and describes how they affect &neon;.</para>
+ controlled by an attacker. This section documents various types of
+ possible attack and describes what mitigation is used in
+ &neon;.</para>
<sect2>
<title>CPU or memory consumption attacks</title>
@@ -90,7 +91,9 @@
does not match the expected identity (or is otherwise not
trusted), &neon; will fail the request by default. This behaviour
can be overridden by the use of a callback installed using <xref
- linkend="ne_ssl_set_verify"/>.</para>
+ linkend="ne_ssl_set_verify"/>, which allows the application to
+ present the certificate details to a user for manual/off-line
+ verification, if possible.</para>
<para>Test cases for the correctness of the implementation of the
identity verification algorithm are present in the &neon; test
@@ -121,11 +124,11 @@
allowing the application (and hence, user) to specify that only a
specific set of authentication protocols is permitted.</para>
- <para>&neon; supports the Digest, and Negotiate authentication
- schemes, which both allow user authentication without passing
- credentials over the wire. The "domain" parameter is supported in
- Digest, allowing the server to restrict an authentication session
- to a particular set of URIs.</para>
+ <para>&neon; supports the Digest and Negotiate authentication
+ schemes, which both allow authentication of users without passing
+ credentials in cleartext over the wire. The "domain" parameter is
+ supported in Digest, allowing the server to restrict an
+ authentication session to a particular set of URIs.</para>
</sect2>
View Lorry Controller Status