Full Disclosure mailing list archives
Re: Re: Re: HTTP AUTH BASIC monowall.
From: Simon Smith <simon () snosoft com>
Date: Thu, 16 Mar 2006 09:44:34 -0500
Dave, No shit, maybe I do have amnesia. I had one of those stupid days yesterday anyway and you'd think that I'd know better than to write to FD when I'm like that... but no... I'd rather make myself look like an ass. ;] Dave Korn wrote:
Simon Smith wrote:Who ever said I was going to issue a security advisory or "warning" as you called it?You did. Have you got amnesia or what? -----------------------<quote> From: Simon Smith <simon () snosoft com> Subject: Re: HTTP AUTH BASIC monowall. Date: Mon, 13 Mar 2006 15:37:03 -0500 Message-ID: <4415D7EF.7020905 () snosoft com> References: <4415C97E.6030307 () snosoft com> <20060313194945.GB3298 () sentinelchicken org> <a260a2190603131156u1642d587n2d325ec44e23b78a () mail gmail com> <200603131204.19462.requiem () praetor org> In-Reply-To: <200603131204.19462.requiem () praetor org> -----------------------<snips> So, I guess I've really answered my own question, perhaps I should release some sort of an advisory on all of these products that are using basic auth. -----------------------<quote> To which my response was, to paraphrase, "No, perhaps you should not".Gee, you must have missed the entire thread... who said internet?As the above demonstrates, I seem to have taken in more of it than you have.There's nothing wrong with BASIC AUTH.Aside from the fact that its... um... insecure?You don't seem to get the concept of security. It's not an absolute, all-or-nothing. It's a continuum. It's meaningless to ask whether something is 'secure' or 'not secure' in the abstract. You can ask whether things are more or less secure, against certain threats, under certain assumptions. This applies to absolutely any kind of anything, not just authentication, and not just basic auth. Basic auth is highly secure when deployed correctly in a well-managed LAN. It's a good match to a lot of the problems it is called on to solve. It does not solve, and does not attempt to solve because that is not within its remit, the problems that happen if your entire network infrastructure is already owned from within. Nor does any other sort of authentication protocol. In this, basic is no different from any other. Some auth protocols may offer more or less security against some kinds of compromises or others, but there's no general rule here.Well, you are a good example. You don't write very good emails and you aren't very well aware of the entire email thread now are you?You've already said this, and as I demonstrated, I'm more aware of it than you are.I'll make it a point to not be as silly as you. ;]You've certainly succeeded in not being *as* silly as me. Next time, though, try doing it by being /less/ silly than me!cheers, DaveKAH you are from the UK, you said Cheers!"Cheers" is/was an American TV show, isn't it? cheers, DaveK
N -- Regards, Adriel T. Desautels Harvard Security Group http://www.harvardsecuritygroup.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: HTTP AUTH BASIC monowall., (continued)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 15)
- Re: HTTP AUTH BASIC monowall. bkfsec (Mar 15)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 15)
- Re: HTTP AUTH BASIC monowall. Tim (Mar 15)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 15)
- Re: HTTP AUTH BASIC monowall. Tim (Mar 15)
- Re: HTTP AUTH BASIC monowall. Dave Korn (Mar 15)
- Re: Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 15)
- Re: Re: HTTP AUTH BASIC monowall. greybrimstone (Mar 15)
- Re: Re: HTTP AUTH BASIC monowall. Dave Korn (Mar 16)
- Re: Re: Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 16)
- Re: HTTP AUTH BASIC monowall. Steffen Kluge (Mar 13)
- Re: HTTP AUTH BASIC monowall. Tim (Mar 13)
- Re: HTTP AUTH BASIC monowall. Valdis . Kletnieks (Mar 14)
- Re: HTTP AUTH BASIC monowall. Tim (Mar 14)
- Re: HTTP AUTH BASIC monowall. Jim Popovitch (Mar 13)
- Re: HTTP AUTH BASIC monowall. Tim (Mar 13)