diff options
-rw-r--r-- | doc/security.xml | 19 |
1 files changed, 11 insertions, 8 deletions
diff --git a/doc/security.xml b/doc/security.xml index 5caeda6..f014276 100644 --- a/doc/security.xml +++ b/doc/security.xml @@ -6,8 +6,9 @@ model: use of a malicious HTTP server. Under this threat model, a range of attacks are possible against a client when the user (or application) can be tricked into accessing an HTTP server which is - controlled by an attacker. This section documents the types of - possible attack and describes how they affect &neon;.</para> + controlled by an attacker. This section documents various types of + possible attack and describes what mitigation is used in + &neon;.</para> <sect2> <title>CPU or memory consumption attacks</title> @@ -90,7 +91,9 @@ does not match the expected identity (or is otherwise not trusted), &neon; will fail the request by default. This behaviour can be overridden by the use of a callback installed using <xref - linkend="ne_ssl_set_verify"/>.</para> + linkend="ne_ssl_set_verify"/>, which allows the application to + present the certificate details to a user for manual/off-line + verification, if possible.</para> <para>Test cases for the correctness of the implementation of the identity verification algorithm are present in the &neon; test @@ -121,11 +124,11 @@ allowing the application (and hence, user) to specify that only a specific set of authentication protocols is permitted.</para> - <para>&neon; supports the Digest, and Negotiate authentication - schemes, which both allow user authentication without passing - credentials over the wire. The "domain" parameter is supported in - Digest, allowing the server to restrict an authentication session - to a particular set of URIs.</para> + <para>&neon; supports the Digest and Negotiate authentication + schemes, which both allow authentication of users without passing + credentials in cleartext over the wire. The "domain" parameter is + supported in Digest, allowing the server to restrict an + authentication session to a particular set of URIs.</para> </sect2> |