Full Disclosure mailing list archives
HTTP AUTH BASIC monowall.
From: Simon Smith <simon () snosoft com>
Date: Mon, 13 Mar 2006 14:35:26 -0500
List, Does anyone else feel that using HTTP BASIC AUTH for a firewall is a bad idea even if it is SSL'd. All basic auth does is creates a hash string for username:password using base64. That can easily be reversed and the real username and password extracted. Sure it's SSL but can't a crafty attacker just create a proxy of sorts on a compromised network and intercept the communications? Am I missing something here? -- Regards, Simon _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- HTTP AUTH BASIC monowall. Simon Smith (Mar 13)
- Re: HTTP AUTH BASIC monowall. Matthijs van Otterdijk (Mar 13)
- Re: HTTP AUTH BASIC monowall. Tim (Mar 13)
- Re: HTTP AUTH BASIC monowall. Matthijs van Otterdijk (Mar 13)
- Re: HTTP AUTH BASIC monowall. Jeremy Bishop (Mar 13)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 13)
- Re: HTTP AUTH BASIC monowall. Jeremy Bishop (Mar 13)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 13)
- RE: HTTP AUTH BASIC monowall. Lyal Collins (Mar 13)
- Re: HTTP AUTH BASIC monowall. Tim (Mar 13)
- RE: HTTP AUTH BASIC monowall. Lyal Collins (Mar 13)
- Re: HTTP AUTH BASIC monowall. Tim (Mar 13)
- Re: HTTP AUTH BASIC monowall. Matthijs van Otterdijk (Mar 13)