Full Disclosure mailing list archives
Re: HTTP AUTH BASIC monowall.
From: "Matthijs van Otterdijk" <thotter () gmail com>
Date: Mon, 13 Mar 2006 20:43:13 +0100
Well isn't the whole idea of SSH that the connection is encrypted? so it doesn't matter trough how many compromised networks it goes, since it gets encrypted at the sending computer and decrypted at the receiving one. On 3/13/06, Simon Smith <simon () snosoft com> wrote:
List, Does anyone else feel that using HTTP BASIC AUTH for a firewall is a bad idea even if it is SSL'd. All basic auth does is creates a hash string for username:password using base64. That can easily be reversed and the real username and password extracted. Sure it's SSL but can't a crafty attacker just create a proxy of sorts on a compromised network and intercept the communications? Am I missing something here? -- Regards, Simon _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- HTTP AUTH BASIC monowall. Simon Smith (Mar 13)
- Re: HTTP AUTH BASIC monowall. Matthijs van Otterdijk (Mar 13)
- Re: HTTP AUTH BASIC monowall. Tim (Mar 13)
- Re: HTTP AUTH BASIC monowall. Matthijs van Otterdijk (Mar 13)
- Re: HTTP AUTH BASIC monowall. Jeremy Bishop (Mar 13)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 13)
- Re: HTTP AUTH BASIC monowall. Jeremy Bishop (Mar 13)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 13)
- RE: HTTP AUTH BASIC monowall. Lyal Collins (Mar 13)
- Re: HTTP AUTH BASIC monowall. Tim (Mar 13)
- RE: HTTP AUTH BASIC monowall. Lyal Collins (Mar 13)
- Re: HTTP AUTH BASIC monowall. Jeremy Bishop (Mar 13)
- Re: HTTP AUTH BASIC monowall. Tim (Mar 13)
- Re: HTTP AUTH BASIC monowall. Matthijs van Otterdijk (Mar 13)