lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu Mar 16 14:38:35 2006
From: davek_throwaway at hotmail.com (Dave Korn)
Subject: Re: Re: HTTP AUTH BASIC monowall.

Simon Smith wrote:

> Who ever said I was going to issue a security advisory or "warning" as
> you called it?

  You did.  Have you got amnesia or what?

-----------------------<quote>
From: Simon Smith <simon@...soft.com>
Subject: Re: HTTP AUTH BASIC monowall.
Date: Mon, 13 Mar 2006 15:37:03 -0500
Message-ID: <4415D7EF.7020905@...soft.com>
References: <4415C97E.6030307@...soft.com> 
<20060313194945.GB3298@...tinelchicken.org> 
<a260a2190603131156u1642d587n2d325ec44e23b78a@...l.gmail.com>
 <200603131204.19462.requiem@...etor.org>
In-Reply-To: <200603131204.19462.requiem@...etor.org>
-----------------------<snips>
    So, I guess I've really answered my own question, perhaps I should
release some sort of an advisory on all of these products that are using
basic auth.
-----------------------<quote>

  To which my response was, to paraphrase, "No, perhaps you should not".

> Gee, you must have missed the entire thread... who said internet?

  As the above demonstrates, I seem to have taken in more of it than you 
have.

>>   There's nothing wrong with BASIC AUTH.
>>
> Aside from the fact that its... um... insecure?

  You don't seem to get the concept of security.

  It's not an absolute, all-or-nothing.  It's a continuum.

  It's meaningless to ask whether something is 'secure' or 'not secure' in 
the abstract.  You can ask whether things are more or less secure, against 
certain threats, under certain assumptions.  This applies to absolutely any 
kind of anything, not just authentication, and not just basic auth.

  Basic auth is highly secure when deployed correctly in a well-managed LAN. 
It's a good match to a lot of the problems it is called on to solve.

  It does not solve, and does not attempt to solve because that is not 
within its remit, the problems that happen if your entire network 
infrastructure is already owned from within.  Nor does any other sort of 
authentication protocol.  In this, basic is no different from any other. 
Some auth protocols may offer more or less security against some kinds of 
compromises or others, but there's no general rule here.

> Well, you are a good example. You don't write very good emails and you
> aren't very well aware of the entire email thread now are you?

  You've already said this, and as I demonstrated, I'm more aware of it than 
you are.

>I'll make it a point to not be as silly as you. ;]

  You've certainly succeeded in not being *as* silly as me.  Next time, 
though, try doing it by being /less/ silly than me!

>>     cheers,
>>       DaveK
>>
>
> AH you are from the UK, you said Cheers!

  "Cheers" is/was an American TV show, isn't it?

    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ