| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed Mar 15 15:27:00 2006 From: michael.holstein at csuohio.edu (Michael Holstein) Subject: HTTP AUTH BASIC monowall. > I think that we've lost focus of my original question. My question > refined is, does anyone else agree with me that using HTTP BASIC AUTH > for important applications is a security risk/vulnerability (regardless > of SSL)? Or, is everyone here telling me that they "feel safe" if the > connections are SSL'ed and are not worried that the HTTP BASIC AUTH is > only creating a base64 hash of their usernames and passwords that can > easily be reversed? My personal opinion, I feel like we're painting over > the rust on an old car... I don't feel like we're fixing the risks. Is using Basic via SSL a security risk? .. No. Is doing it on a firewall with self-signed certs stupid? .. Yes. Is not ACL'ing the firewall's admin interface stupid? .. Yes. Does all this warrant a "Vulnerability Notice"? .. No. You can't "easily reverse" a base64 hash when it's encrypted with SSL (absent some MitM stuff). Sure, there are a dozen ways to do it better (client certs, something like SSH, whatever...) .. but implemented among clued-in admins isn't a problem -- if they know to verify and/or import the self-signed cert into their browser so they'll know if a MitM is attempted. In reality, if someone is able to tinker with your broadcast medium (ARP spoofing, et.al) or DNS to initiate a MitM attack against you logging into the firewall, you've got bigger personell problems. Get boxes for people's stuff and visit their offices with security. ~Mike.
Powered by blists - more mailing lists