Frank, please see my comments inline. > If I get it right, > SimplePasswordAuth/SQLPasswordAuth/LDAPPasswordAuth/ExternalPasswordAuth > are not really secure, since they just encrypt the password to a MD5 > hash which is sent over an unsecured channel over the network, means, > that everyone that can sniff/grap the MD5 password hash may just use it > to authenticate himself on the gatekeeper. Right? Theoretically no, because the crypto tokens carrying hashes contain also timestamps and this should prevent from reusing hashes. Practically yes, because the gatekeeper does not check this timestamp. The best choice here would CAT, which generates a different hash each time. ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________________ List: Openh323gk-users@xxxxxxxxxxxxxxxxxxxxx Archive: http://sourceforge.net/mailarchive/forum.php?forum_id=8549 Homepage: http://www.gnugk.org/
