Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: HTTP AUTH BASIC monowall.

From: Simon Smith <simon () snosoft com>
Date: Thu, 16 Mar 2006 10:53:05 -0500
Mark,
    Thats a good alternative. I'll add that to my list of options. Thanks!

Mark Coleman wrote:

At the risk of being flamed, I'll chime in with this since I don't
think it's been mentioned as an alternative:

How about SecurID one-time passwords?  Ride the HTTP Auth on SSL which
hides it all, and a Malcolm in the Middle attack just gets
username/PIN and a one-time password (MitM gives ability to DoS
lockout your account).

-Mark Coleman


gboyce wrote:

Ok, so what's your alternative?

You're already assuming that the user of the firewall is already
misusing SSL.  They need to blindly accept unsigned SSL certificates,
and changes to the certificates.  Just about any security
restrictions you can apply can be done away with if the user is
incompetant enough.

Some form of challenge response?  If you can already perform a man in
the middle attack, than challenge response is just as vulnerable. 
Just connect to the server when the client hits you, and pass them
the challenge you recieved.  Use the credential yourself, and pass
them a failure.  When they try again, connect them to the server. 





-- 
Regards, 
        Jackass


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: