WebApp Sec mailing list archives
Re: unable to access web site embeds username & password
From: Andy bentley <andy () bentleyconsulting biz>
Date: Thu, 24 Jun 2004 01:36:08 -0400
Kevin R. Babcock wrote:
Basic Auth is still all in the clear. Anyone with a sniffer can see it, log it, use it.On Tue, 22 Jun 2004, Brown, James F. wrote:Keep in mind that passing passwords on the URL like this horribly insecure. Your password will wind up sitting in web server logs, proxy server logs and will in some cases get sent off to other sites via the http referer mechanism.In fact, Internet Explorer and other browsers take the username and password out of the URL before making the request. They are instead placed in headers to do HTTP Basic Authentication when the request is made, and so the username and password never go over the wire in a URL. -Kevin
Andy Bentley -- Andy Bentley ISSA, CISSP 508.932.9882 http://www.bentleyconsulting.biz
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Re: unable to access web site embeds username & password, (continued)
- Re: unable to access web site embeds username & password Keith W. McCammon (Jun 21)
- RE: unable to access web site embeds username & password Michael Howard (Jun 21)
- RE: unable to access web site embeds username & password Chris Thomas (Jun 21)
- RE: unable to access web site embeds username & password Noah Gray (Jun 21)
- RE: unable to access web site embeds username & password sk3tch (Jun 21)
- Re: unable to access web site embeds username & password Kevin R. Babcock (Jun 22)
- RE: unable to access web site embeds username & password Michael Silk (Jun 24)
- RE: unable to access web site embeds username & password Noah Gray (Jun 24)
- RE: unable to access web site embeds username & password Brown, James F. (Jun 24)
- RE: unable to access web site embeds username & password Kevin R. Babcock (Jun 23)
- Re: unable to access web site embeds username & password Andy bentley (Jun 24)
- Re: unable to access web site embeds username & password Robert Hajime Lanning (Jun 25)
- Open Source Security Exhibition help Pete Herzog (Jun 26)
- RE: unable to access web site embeds username & password Konstantin Ryabitsev (Jun 24)
- RE: unable to access web site embeds username & password Liam Quinn (Jun 26)
- RE: unable to access web site embeds username & password Kevin R. Babcock (Jun 23)