Security Basics mailing list archives
Re: Apache AuthBasic
From: Miles Stevenson <miles () mstevenson org>
Date: Fri, 12 Dec 2003 14:55:56 -0500
Hi Jon. The best security you can have for your content completely depends on what the content is (Static HTML page, text document, PHP web app, etc). What is it that you are trying to secure? SSL + Authbasic will provide you with good security while the web traffic is in transit (provided by SSL), and it will provide you with a medium level of authentication (user/pass). Do you have integrity requirements as well? If this is a document, can you PGP encrypt it? There are tons of possibilities here. If this is an actual web application you are trying to protect, then it becomes a whole different ballgame. The amount of security provided by the application itself is a very big factor here, and things like secure session ID's become a very important part of it. This can get very complex, especially when a back-end database enters the picture. So I'd have to ask you not only what it is that you are trying to secure, but what are your security requirements when it comes to confidentiality, integrity, and availability? -Miles On Fri, 2003-12-12 at 10:46, Jon Mark Allen wrote:
I have a website with one particular folder I want to secure. I have setup SSL and Apache AuthBasic for that folder and all subfiles. My question is: does anyone know of any vulnerabilities or ways to crack/circumvent AuthBasic? So far, the only method I've found of breaking authBasic is to sniff the traffic to lift the username/password, but I've tested that with the SSL and the username/password combo is passed after SSL has already been established. It is very important that this folder be as secure as I can make it. Obviously, just being available on the web at all reduces the overall security significantly, but I don't have a choice there. :-) Thanks for your help. Jon Mark --------------------------------------------------------------------------- ----------------------------------------------------------------------------
-- Miles Stevenson miles () mstevenson org
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Apache AuthBasic Jon Mark Allen (Dec 12)
- Re: Apache AuthBasic Miles Stevenson (Dec 15)
- Re: Apache AuthBasic Creed Erickson (Dec 15)
- <Possible follow-ups>
- Re: Apache AuthBasic Jon Mark Allen (Dec 15)
- Re: Apache AuthBasic Miles Stevenson (Dec 15)
- Re: Apache AuthBasic Jon Mark Allen (Dec 15)