Full Disclosure mailing list archives
Re: HTTP AUTH BASIC monowall.
From: Michael Holstein <michael.holstein () csuohio edu>
Date: Wed, 15 Mar 2006 10:22:36 -0500
I think that we've lost focus of my original question. My question refined is, does anyone else agree with me that using HTTP BASIC AUTH for important applications is a security risk/vulnerability (regardless of SSL)? Or, is everyone here telling me that they "feel safe" if the connections are SSL'ed and are not worried that the HTTP BASIC AUTH is only creating a base64 hash of their usernames and passwords that can easily be reversed? My personal opinion, I feel like we're painting over the rust on an old car... I don't feel like we're fixing the risks.
Is using Basic via SSL a security risk? .. No. Is doing it on a firewall with self-signed certs stupid? .. Yes. Is not ACL'ing the firewall's admin interface stupid? .. Yes. Does all this warrant a "Vulnerability Notice"? .. No.You can't "easily reverse" a base64 hash when it's encrypted with SSL (absent some MitM stuff). Sure, there are a dozen ways to do it better (client certs, something like SSH, whatever...) .. but implemented among clued-in admins isn't a problem -- if they know to verify and/or import the self-signed cert into their browser so they'll know if a MitM is attempted.
In reality, if someone is able to tinker with your broadcast medium (ARP spoofing, et.al) or DNS to initiate a MitM attack against you logging into the firewall, you've got bigger personell problems. Get boxes for people's stuff and visit their offices with security.
~Mike. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: HTTP AUTH BASIC monowall., (continued)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 13)
- RE: HTTP AUTH BASIC monowall. Lyal Collins (Mar 13)
- Re: HTTP AUTH BASIC monowall. Tim (Mar 13)
- RE: HTTP AUTH BASIC monowall. Lyal Collins (Mar 13)
- Re: HTTP AUTH BASIC monowall. Jeremy Bishop (Mar 13)
- RE: HTTP AUTH BASIC monowall. Lyal Collins (Mar 13)
- Re: HTTP AUTH BASIC monowall. Tim (Mar 13)
- Re: HTTP AUTH BASIC monowall. Pavel Kankovsky (Mar 13)
- Re: HTTP AUTH BASIC monowall. Keith (Mar 13)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 15)
- Re: HTTP AUTH BASIC monowall. Michael Holstein (Mar 15)
- Re: HTTP AUTH BASIC monowall. Valdis . Kletnieks (Mar 15)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 15)
- Re: HTTP AUTH BASIC monowall. Michael Holstein (Mar 15)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 15)
- Re: HTTP AUTH BASIC monowall. gboyce (Mar 15)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 15)
- Re: HTTP AUTH BASIC monowall. Valdis . Kletnieks (Mar 15)
- Re: HTTP AUTH BASIC monowall. Michael Holstein (Mar 15)
- Re: HTTP AUTH BASIC monowall. Andrew Simmons (Mar 17)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 16)