Full Disclosure mailing list archives
Re: HTTP AUTH BASIC monowall.
From: Michael Holstein <michael.holstein () csuohio edu>
Date: Mon, 13 Mar 2006 15:23:27 -0500
Does anyone else feel that using HTTP BASIC AUTH for a firewall is a bad idea even if it is SSL'd. All basic auth does is creates a hash string for username:password using base64. That can easily be reversed and the real username and password extracted. Sure it's SSL but can't a crafty attacker just create a proxy of sorts on a compromised network and intercept the communications? Am I missing something here?
If it's Basic via SSL, then it's fine. Nobody will be able to intercept it.It is possible to setup a MITM attack using SSL, but you've got to use a forged certificate and the browser will alert as to such. The problem there lies in the fact that most users will blindly click "ok" to such a dialouge.
You said this is a firewall box. Most "appliances" I've seen use self-signed SSL certs which don't validate anyway -- so you're ALREADY used to clicking "ok" on the warning. Therein lies the danger I suppose.
Cheers, Michael Holstein CISSP GCIA Cleveland State University _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Re: HTTP AUTH BASIC monowall., (continued)
- Re: Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 15)
- Re: Re: HTTP AUTH BASIC monowall. greybrimstone (Mar 15)
- Re: Re: HTTP AUTH BASIC monowall. Dave Korn (Mar 16)
- Re: Re: Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 16)
- Re: HTTP AUTH BASIC monowall. Steffen Kluge (Mar 13)
- Re: HTTP AUTH BASIC monowall. Tim (Mar 13)
- Re: HTTP AUTH BASIC monowall. Valdis . Kletnieks (Mar 14)
- Re: HTTP AUTH BASIC monowall. Tim (Mar 14)
- Re: HTTP AUTH BASIC monowall. Jim Popovitch (Mar 13)
- Re: HTTP AUTH BASIC monowall. Tim (Mar 13)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 17)