WebApp Sec mailing list archives

Re: Prevent security bypass

From: Chris Travers <chris () travelamericas com>
Date: Thu, 06 Feb 2003 09:06:26 -0800

Hi;

MS-CHAP is vulnerable to a modified replay attack with regard to domainlogin (why Microsoft went to Kerberos in Windows 2000). However I donot think that this sort of attack could work on a public web server.Unfortunately Mac and Linux clients won't be able to log into a publicserver is you select this option.

For a public web server I recommend basic (plain text) authenticationand providing security by using SSL.

Best Wishes,
Chris Travers


Adam wrote:

I might be wrong about this but I couldn't find anything on MS' site (who
can?) but I thought the standard NT challenge response was sent unencrypted.
If this has changed I'd love to know because t would sure make my life
easier :)

Adam

Current thread:

Prevent security bypass Chris Neil (Feb 04)
- Re: Prevent security bypass Kalyan Varma (Feb 04)
- Re: Prevent security bypass Igor Guarisma (Feb 05)
- RE: Prevent security bypass Adam (Feb 05)
  - Re: Prevent security bypass Chris Travers (Feb 06)
    - RE: Prevent security bypass Adam (Feb 06)
    - RE: Prevent security bypass Larry Seltzer (Feb 06)
    - Re: Prevent security bypass Chris Travers (Feb 06)
- Re: Prevent security bypass Ulrich P. (Feb 05)
  - Re: Prevent security bypass Chris Travers (Feb 04)
  - Re: Prevent security bypass c3rb3r (Feb 04)
  - Re: Prevent security bypass Adrian Wiesmann (Feb 04)
- Re: Prevent security bypass sunzi (Feb 07)
  - Re: Prevent security bypass Ernie Nelson (Feb 07)
    - HTTP Header and POST Data Exploitation Rahul Chander Kashyap (Feb 08)
    - RE: HTTP Header and POST Data Exploitation Indian Tiger (Feb 09)
- <Possible follow-ups>
- Re: Prevent security bypass Ken Rachynski (Feb 04)
- RE: Prevent security bypass David Cameron (Feb 04)

(Thread continues...)