Full Disclosure mailing list archives
Re: HTTP AUTH BASIC monowall.
From: "Brian Eaton" <eaton.lists () gmail com>
Date: Fri, 17 Mar 2006 12:39:30 -0500
On 3/16/06, Felix Lindner <fx () sabre-labs com> wrote:
you may be looking for Digest Authentication: http://www.ietf.org/rfc/rfc2617.txt: "Like Basic, Digest access authentication verifies that both parties to a communication know a shared secret (a password); unlike Basic, this verification can be done without sending the password in the clear, which is Basic's biggest weakness. As with most other authentication protocols, the greatest sources of risks are usually found not in the core protocol itself but in policies and procedures surrounding its use."
Digest probably isn't a good answer to a MITM attack, because as far as I can tell there is nothing stopping the MITM from downgrading to BA. I haven't actually tested this. Maybe the browsers have config options to disable BA authentication, or at least give some kind of visual indicator that the authentication is digest rather than basic. - Brian _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: HTTP AUTH BASIC monowall., (continued)
- Re: HTTP AUTH BASIC monowall. Michael Holstein (Mar 16)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 16)
- Re: HTTP AUTH BASIC monowall. Mike Owen (Mar 16)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 17)
- Re: HTTP AUTH BASIC monowall. Gary E. Miller (Mar 16)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 16)
- Re: HTTP AUTH BASIC monowall. Jeremy Bishop (Mar 16)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 16)
- Re: HTTP AUTH BASIC monowall. Nick FitzGerald (Mar 16)
- Re: HTTP AUTH BASIC monowall. Felix Lindner (Mar 17)
- Re: HTTP AUTH BASIC monowall. Brian Eaton (Mar 17)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 17)
- Re: HTTP AUTH BASIC monowall. Jason (Mar 17)
- Re: HTTP AUTH BASIC monowall. Mark Coleman (Mar 16)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 16)
- Re: HTTP AUTH BASIC monowall. Michael Holstein (Mar 15)
- Re: HTTP AUTH BASIC monowall. Tim (Mar 15)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 15)
- Re: HTTP AUTH BASIC monowall. Michael Holstein (Mar 15)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 15)
- Re: HTTP AUTH BASIC monowall. Nick FitzGerald (Mar 15)