| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <a260a2190603131143u14cd696j691908a54ce8d15c@mail.gmail.com> Date: Mon Mar 13 19:43:25 2006 From: thotter at gmail.com (Matthijs van Otterdijk) Subject: HTTP AUTH BASIC monowall. Well isn't the whole idea of SSH that the connection is encrypted? so it doesn't matter trough how many compromised networks it goes, since it gets encrypted at the sending computer and decrypted at the receiving one. On 3/13/06, Simon Smith <simon@...soft.com> wrote: > > List, > Does anyone else feel that using HTTP BASIC AUTH for a firewall is a > bad idea even if it is SSL'd. All basic auth does is creates a hash > string for username:password using base64. That can easily be reversed > and the real username and password extracted. Sure it's SSL but can't a > crafty attacker just create a proxy of sorts on a compromised network > and intercept the communications? Am I missing something here? > > -- > > > Regards, > Simon > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060313/e9f5b049/attachment.html
Powered by blists - more mailing lists