Full Disclosure mailing list archives
Re: HTTP AUTH BASIC monowall.
From: Valdis.Kletnieks () vt edu
Date: Wed, 15 Mar 2006 11:36:10 -0500
On Wed, 15 Mar 2006 10:14:23 EST, Simon Smith said:
I think that we've lost focus of my original question. My question refined is, does anyone else agree with me that using HTTP BASIC AUTH for important applications is a security risk/vulnerability (regardless of SSL)? Or, is everyone here telling me that they "feel safe" if the connections are SSL'ed and are not worried that the HTTP BASIC AUTH is only creating a base64 hash of their usernames and passwords that can easily be reversed? My personal opinion, I feel like we're painting over the rust on an old car... I don't feel like we're fixing the risks.
It's not bulletproof. There are holes. Having said that, remember two things: 1) Once you're doing BASIC over SSL, it requires a MITM attack. In most network configs, that means that the attacker needs to already control at least one *other* box on the wire. At that point, you have bigger problems. 2) BASIC AUTH over SSL isn't the weak point, especially if the source box is a Windows box with 57 different kinds of spyware and backdoors on it. If the endpoints aren't secure, you can't *really* secure the path between them. This is also why using SSL on your e-commerce site doesn't mean it's secure - it merely guarantees that the data isn't screwed with on its way to the server, where it will likely get dumped into a world-readable file for the benefit of the first guy to try anonymous FTP to the site because the FTP server doesn't chroot an anonymous connection....
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- RE: HTTP AUTH BASIC monowall., (continued)
- RE: HTTP AUTH BASIC monowall. Lyal Collins (Mar 13)
- Re: HTTP AUTH BASIC monowall. Tim (Mar 13)
- RE: HTTP AUTH BASIC monowall. Lyal Collins (Mar 13)
- Re: HTTP AUTH BASIC monowall. Jeremy Bishop (Mar 13)
- RE: HTTP AUTH BASIC monowall. Lyal Collins (Mar 13)
- Re: HTTP AUTH BASIC monowall. Tim (Mar 13)
- Re: HTTP AUTH BASIC monowall. Pavel Kankovsky (Mar 13)
- Re: HTTP AUTH BASIC monowall. Keith (Mar 13)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 15)
- Re: HTTP AUTH BASIC monowall. Michael Holstein (Mar 15)
- Re: HTTP AUTH BASIC monowall. Valdis . Kletnieks (Mar 15)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 15)
- Re: HTTP AUTH BASIC monowall. Michael Holstein (Mar 15)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 15)
- Re: HTTP AUTH BASIC monowall. gboyce (Mar 15)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 15)
- Re: HTTP AUTH BASIC monowall. Valdis . Kletnieks (Mar 15)
- Re: HTTP AUTH BASIC monowall. Michael Holstein (Mar 15)
- Re: HTTP AUTH BASIC monowall. Andrew Simmons (Mar 17)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 16)
- Re: HTTP AUTH BASIC monowall. Michael Holstein (Mar 16)