Full Disclosure mailing list archives
Re: HTTP AUTH BASIC monowall.
From: Mark Coleman <securitylistgrok () uniontown com>
Date: Thu, 16 Mar 2006 10:43:17 -0500
At the risk of being flamed, I'll chime in with this since I don't think it's been mentioned as an alternative:
How about SecurID one-time passwords? Ride the HTTP Auth on SSL which hides it all, and a Malcolm in the Middle attack just gets username/PIN and a one-time password (MitM gives ability to DoS lockout your account).
-Mark Coleman gboyce wrote:
Ok, so what's your alternative?You're already assuming that the user of the firewall is already misusing SSL. They need to blindly accept unsigned SSL certificates, and changes to the certificates. Just about any security restrictions you can apply can be done away with if the user is incompetant enough.Some form of challenge response? If you can already perform a man in the middle attack, than challenge response is just as vulnerable. Just connect to the server when the client hits you, and pass them the challenge you recieved. Use the credential yourself, and pass them a failure. When they try again, connect them to the server.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: HTTP AUTH BASIC monowall., (continued)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 17)
- Re: HTTP AUTH BASIC monowall. Gary E. Miller (Mar 16)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 16)
- Re: HTTP AUTH BASIC monowall. Jeremy Bishop (Mar 16)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 16)
- Re: HTTP AUTH BASIC monowall. Nick FitzGerald (Mar 16)
- Re: HTTP AUTH BASIC monowall. Felix Lindner (Mar 17)
- Re: HTTP AUTH BASIC monowall. Brian Eaton (Mar 17)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 17)
- Re: HTTP AUTH BASIC monowall. Jason (Mar 17)
- Re: HTTP AUTH BASIC monowall. Mark Coleman (Mar 16)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 16)
- Re: HTTP AUTH BASIC monowall. Michael Holstein (Mar 15)
- Re: HTTP AUTH BASIC monowall. Tim (Mar 15)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 15)
- Re: HTTP AUTH BASIC monowall. Michael Holstein (Mar 15)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 15)
- Re: HTTP AUTH BASIC monowall. Nick FitzGerald (Mar 15)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 15)
- Re: HTTP AUTH BASIC monowall. bkfsec (Mar 15)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 15)