Comment 8 for bug 2033612

Revision history for this message
Chris M (pots) wrote :

@brian-rosmaita:

What I meant is that we're not using the MD5 hash to verify the integrity of some other data, or making it available to a potential attacker--it's simply being used as a shared secret, and we rely on TLS to protect it from eavesdropping.

Newer arrays ignore the MD5 hash and look for HTTP Basic Auth headers instead, so you're correct that it's just there for backwards compatibility with the old arrays.

Since the affected arrays were sold by other companies, we'll reach out to them for their input.

Chris