Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: HTTP AUTH BASIC monowall.

From: "Brian Eaton" <eaton.lists () gmail com>
Date: Fri, 17 Mar 2006 12:39:30 -0500
On 3/16/06, Felix Lindner <fx () sabre-labs com> wrote:

you may be looking for Digest Authentication:
http://www.ietf.org/rfc/rfc2617.txt:

   "Like Basic, Digest access authentication verifies that both parties
   to a communication know a shared secret (a password); unlike Basic,
   this verification can be done without sending the password in the
   clear, which is Basic's biggest weakness. As with most other
   authentication protocols, the greatest sources of risks are usually
   found not in the core protocol itself but in policies and procedures
   surrounding its use."


Digest probably isn't a good answer to a MITM attack, because as far
as I can tell there is nothing stopping the MITM from downgrading to
BA.

I haven't actually tested this.  Maybe the browsers have config
options to disable BA authentication, or at least give some kind of
visual indicator that the authentication is digest rather than basic.

- Brian

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: