Re: HTTP AUTH BASIC monowall.

[Tim <tim-security () sentinelchicken org>]

Hi Lyal,

> I find a central issue that often reoccurs when discussing secure protocols
> is the definition of where the secure protocol starts and stops - the user,
> the application, or some underlying OS/functional library or network device?

Based on the context in which the discussion started, anything outside
of MitM attacks and the certificate authentication that prevents is
seems out of scope to me, but definately valid points as Jeremy
mentioned.

> There are usually huge chasms between the business, legal and
> technical/security guru perspective on this - but in my experience these
> differences significantly influence purchase and implementation budget
> decisions.

I do agree with you, of course.  All of these other things are
prerequisite, and are almost always much more important to security than
the crypto protocols are.  This is why I HATE it when laymen say "I have
a secure webserver".  What they (almost always) really mean is "I have a
webserver that runs SSL/TLS".  A safe protocol is just the first step.

The reason I've gone off on such a tirade is that so many people use SSL
all the time and do it completely wrong.  They don't understand the PKI
behind it, why they should trust it and how to keep it from being
subverted.  The key to implementing it correctly is to FIRST understand
the PKI behind it (meaning administrator and user education), then work
your way up from there (eg. passwords/ACLs on endpoints, etc).

cheers,
tim

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/