Re: HTTP AUTH BASIC monowall.

[Michael Holstein <michael.holstein () csuohio edu>]

> I think that we've lost focus of my original question. My question
> refined is, does anyone else agree with me that using HTTP BASIC AUTH
> for important applications is a security risk/vulnerability (regardless
> of SSL)? Or, is everyone here telling me that they "feel safe" if the
> connections are SSL'ed and are not worried that the HTTP BASIC AUTH is
> only creating a base64 hash of their usernames and passwords that can
> easily be reversed? My personal opinion, I feel like we're painting over
> the rust on an old car... I don't feel like we're fixing the risks.

Is using Basic via SSL a security risk? .. No.
Is doing it on a firewall with self-signed certs stupid? .. Yes.
Is not ACL'ing the firewall's admin interface stupid? .. Yes.

Does all this warrant a "Vulnerability Notice"? .. No.

You can't "easily reverse" a base64 hash when it's encrypted with SSL 
(absent some MitM stuff). Sure, there are a dozen ways to do it better 
(client certs, something like SSH, whatever...) .. but implemented among 
clued-in admins isn't a problem -- if they know to verify and/or import 
the self-signed cert into their browser so they'll know if a MitM is 
attempted.

In reality, if someone is able to tinker with your broadcast medium (ARP 
spoofing, et.al) or DNS to initiate a MitM attack against you logging 
into the firewall, you've got bigger personell problems. Get boxes for 
people's stuff and visit their offices with security.

~Mike.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/