Full Disclosure mailing list archives
Re: HTTP AUTH BASIC monowall.
From: Tim <tim-security () sentinelchicken org>
Date: Mon, 13 Mar 2006 19:23:24 -0500
Hi Lyal,
I find a central issue that often reoccurs when discussing secure protocols is the definition of where the secure protocol starts and stops - the user, the application, or some underlying OS/functional library or network device?
Based on the context in which the discussion started, anything outside of MitM attacks and the certificate authentication that prevents is seems out of scope to me, but definately valid points as Jeremy mentioned.
There are usually huge chasms between the business, legal and technical/security guru perspective on this - but in my experience these differences significantly influence purchase and implementation budget decisions.
I do agree with you, of course. All of these other things are prerequisite, and are almost always much more important to security than the crypto protocols are. This is why I HATE it when laymen say "I have a secure webserver". What they (almost always) really mean is "I have a webserver that runs SSL/TLS". A safe protocol is just the first step. The reason I've gone off on such a tirade is that so many people use SSL all the time and do it completely wrong. They don't understand the PKI behind it, why they should trust it and how to keep it from being subverted. The key to implementing it correctly is to FIRST understand the PKI behind it (meaning administrator and user education), then work your way up from there (eg. passwords/ACLs on endpoints, etc). cheers, tim _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: HTTP AUTH BASIC monowall., (continued)
- Re: HTTP AUTH BASIC monowall. Matthijs van Otterdijk (Mar 13)
- Re: HTTP AUTH BASIC monowall. Jeremy Bishop (Mar 13)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 13)
- Re: HTTP AUTH BASIC monowall. Jeremy Bishop (Mar 13)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 13)
- RE: HTTP AUTH BASIC monowall. Lyal Collins (Mar 13)
- Re: HTTP AUTH BASIC monowall. Tim (Mar 13)
- RE: HTTP AUTH BASIC monowall. Lyal Collins (Mar 13)
- Re: HTTP AUTH BASIC monowall. Jeremy Bishop (Mar 13)
- RE: HTTP AUTH BASIC monowall. Lyal Collins (Mar 13)
- Re: HTTP AUTH BASIC monowall. Tim (Mar 13)
- Re: HTTP AUTH BASIC monowall. Pavel Kankovsky (Mar 13)
- Re: HTTP AUTH BASIC monowall. Keith (Mar 13)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 15)
- Re: HTTP AUTH BASIC monowall. Michael Holstein (Mar 15)
- Re: HTTP AUTH BASIC monowall. Valdis . Kletnieks (Mar 15)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 15)
- Re: HTTP AUTH BASIC monowall. Michael Holstein (Mar 15)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 15)
- Re: HTTP AUTH BASIC monowall. gboyce (Mar 15)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 15)