WebApp Sec mailing list archives
Re: Prevent security bypass
From: Chris Travers <chris () travelamericas com>
Date: Thu, 06 Feb 2003 09:06:26 -0800
Hi;MS-CHAP is vulnerable to a modified replay attack with regard to domain login (why Microsoft went to Kerberos in Windows 2000). However I do not think that this sort of attack could work on a public web server. Unfortunately Mac and Linux clients won't be able to log into a public server is you select this option.
For a public web server I recommend basic (plain text) authentication and providing security by using SSL.
Best Wishes, Chris Travers Adam wrote:
I might be wrong about this but I couldn't find anything on MS' site (who can?) but I thought the standard NT challenge response was sent unencrypted. If this has changed I'd love to know because t would sure make my life easier :) Adam
Current thread:
- Prevent security bypass Chris Neil (Feb 04)
- Re: Prevent security bypass Kalyan Varma (Feb 04)
- Re: Prevent security bypass Igor Guarisma (Feb 05)
- RE: Prevent security bypass Adam (Feb 05)
- Re: Prevent security bypass Chris Travers (Feb 06)
- RE: Prevent security bypass Adam (Feb 06)
- RE: Prevent security bypass Larry Seltzer (Feb 06)
- Re: Prevent security bypass Chris Travers (Feb 06)
- Re: Prevent security bypass Chris Travers (Feb 06)
- Re: Prevent security bypass Ulrich P. (Feb 05)
- Re: Prevent security bypass Chris Travers (Feb 04)
- Re: Prevent security bypass c3rb3r (Feb 04)
- Re: Prevent security bypass Adrian Wiesmann (Feb 04)
- Re: Prevent security bypass sunzi (Feb 07)
- Re: Prevent security bypass Ernie Nelson (Feb 07)
- HTTP Header and POST Data Exploitation Rahul Chander Kashyap (Feb 08)
- RE: HTTP Header and POST Data Exploitation Indian Tiger (Feb 09)
- Re: Prevent security bypass Ernie Nelson (Feb 07)
- <Possible follow-ups>
- Re: Prevent security bypass Ken Rachynski (Feb 04)
- RE: Prevent security bypass David Cameron (Feb 04)