Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: HTTP AUTH BASIC monowall.

From: "Matthijs van Otterdijk" <thotter () gmail com>
Date: Mon, 13 Mar 2006 20:43:13 +0100
Well isn't the whole idea of SSH that the connection is encrypted? so it
doesn't matter trough how many compromised networks it goes, since it gets
encrypted at the sending computer and decrypted at the receiving one.

On 3/13/06, Simon Smith <simon () snosoft com> wrote:


List,
    Does anyone else feel that using HTTP BASIC AUTH for a firewall is a
bad idea even if it is SSL'd. All basic auth does is creates a hash
string for username:password using base64. That can easily be reversed
and the real username and password extracted. Sure it's SSL but can't a
crafty attacker just create a proxy of sorts on a compromised network
and intercept the communications? Am I missing something here?

--


Regards,
        Simon


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: