Firewall Wizards mailing list archives
Re: Our friend FTP, again
From: Matthew Patton <patton () sysnet net>
Date: Thu, 15 Apr 1999 20:23:23 -0400
HTTP lacks reliable OTP implementation,That's because of the above... Lots of protocols have this problem, FTP isn't one of them. HTTP needs to add a OTP flag, and a short-lived cookie needs to be set to authenticate after the first time.
Hmm, why didn't I think of that? Though some people block cookies. Could make it a cookie equivalent. Basically a URL segment (or form variable) that gets sent every time and say expires in 5 minutes. HTTP for those who don't care, HTTPS for those with say, reusable passwords. example Scenario: http[s]://user:password(s/key?)/rest_of_url or fill in dialog box with username/password, preferably OTP unless SSL. If a directory listing, and authenticated each url would have the 'auth' bit tacked on: filename.txt?auth=base64_encoded_auth_token So how do you stop a reply attack? If we dont' use HTTPS I guess we can't. At least I can't think of any workable solution. Have the SecureID or other OTP guys done anything with this? -------- OpenBSD - Because security matters... (http://www.openbsd.org/) "Bill Clinton has acted for the past year on his deepest beliefs: that Law is merely politics, that the truth is merely spin, that an oath is merely rhetoric, that justice is merely power. These doctrins...corrupt us and degrade our constitutional order in a profound way." - William Kristol (Newsweek)
Current thread:
- Our friend FTP, again Matthew Patton (Apr 14)
- Re: Our friend FTP, again Marcus J. Ranum (Apr 14)
- Re: Our friend FTP, again Woody Weaver (Apr 15)
- <Possible follow-ups>
- Re: Our friend FTP, again ark (Apr 15)
- Re: Our friend FTP, again Chad Schieken (Apr 15)
- Rant (Was Re: Our friend FTP, again) Marcus J. Ranum (Apr 15)
- Re: Rant (Was Re: Our friend FTP, again) Leonard Miyata (Apr 17)
- Re: Our friend FTP, again Chad Schieken (Apr 15)
- Re: Our friend FTP, again Marcus J. Ranum (Apr 14)
- Re: Our friend FTP, again Ryan Russell (Apr 15)
- Re: Our friend FTP, again Matthew Patton (Apr 17)
- Re: Our friend FTP, again Ryan Russell (Apr 15)