Full Disclosure mailing list archives
Re: HTTP AUTH BASIC monowall.
From: Simon Smith <simon () snosoft com>
Date: Wed, 15 Mar 2006 11:43:46 -0500
Now we're on the right track... which brings up a question... what are the odds that someone could forcefully redirect traffic to their proxy after having compromised a network? Could this be done with arp poisoning? I haven't toyed with that in a while so I can't say yes or no... Valdis.Kletnieks () vt edu wrote:
On Wed, 15 Mar 2006 10:14:23 EST, Simon Smith said:I think that we've lost focus of my original question. My question refined is, does anyone else agree with me that using HTTP BASIC AUTH for important applications is a security risk/vulnerability (regardless of SSL)? Or, is everyone here telling me that they "feel safe" if the connections are SSL'ed and are not worried that the HTTP BASIC AUTH is only creating a base64 hash of their usernames and passwords that can easily be reversed? My personal opinion, I feel like we're painting over the rust on an old car... I don't feel like we're fixing the risks.It's not bulletproof. There are holes. Having said that, remember two things: 1) Once you're doing BASIC over SSL, it requires a MITM attack. In most network configs, that means that the attacker needs to already control at least one *other* box on the wire. At that point, you have bigger problems. 2) BASIC AUTH over SSL isn't the weak point, especially if the source box is a Windows box with 57 different kinds of spyware and backdoors on it. If the endpoints aren't secure, you can't *really* secure the path between them. This is also why using SSL on your e-commerce site doesn't mean it's secure - it merely guarantees that the data isn't screwed with on its way to the server, where it will likely get dumped into a world-readable file for the benefit of the first guy to try anonymous FTP to the site because the FTP server doesn't chroot an anonymous connection....
-- Regards, Adriel T. Desautels Harvard Security Group http://www.harvardsecuritygroup.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: HTTP AUTH BASIC monowall., (continued)
- Re: HTTP AUTH BASIC monowall. Tim (Mar 13)
- RE: HTTP AUTH BASIC monowall. Lyal Collins (Mar 13)
- Re: HTTP AUTH BASIC monowall. Jeremy Bishop (Mar 13)
- RE: HTTP AUTH BASIC monowall. Lyal Collins (Mar 13)
- Re: HTTP AUTH BASIC monowall. Tim (Mar 13)
- Re: HTTP AUTH BASIC monowall. Pavel Kankovsky (Mar 13)
- Re: HTTP AUTH BASIC monowall. Keith (Mar 13)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 15)
- Re: HTTP AUTH BASIC monowall. Michael Holstein (Mar 15)
- Re: HTTP AUTH BASIC monowall. Valdis . Kletnieks (Mar 15)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 15)
- Re: HTTP AUTH BASIC monowall. Michael Holstein (Mar 15)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 15)
- Re: HTTP AUTH BASIC monowall. gboyce (Mar 15)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 15)
- Re: HTTP AUTH BASIC monowall. Valdis . Kletnieks (Mar 15)
- Re: HTTP AUTH BASIC monowall. Michael Holstein (Mar 15)
- Re: HTTP AUTH BASIC monowall. Andrew Simmons (Mar 17)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 16)
- Re: HTTP AUTH BASIC monowall. Michael Holstein (Mar 16)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 16)