lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu Mar 16 14:44:45 2006
From: simon at snosoft.com (Simon Smith)
Subject: Re: Re: HTTP AUTH BASIC monowall.

Dave,
    No shit, maybe I do have amnesia. I had one of those stupid days
yesterday anyway and you'd think that I'd know better than to write to
FD when I'm like that... but no... I'd rather make myself look like an
ass. ;] 

Dave Korn wrote:
> Simon Smith wrote:
>
>   
>> Who ever said I was going to issue a security advisory or "warning" as
>> you called it?
>>     
>
>   You did.  Have you got amnesia or what?
>
> -----------------------<quote>
> From: Simon Smith <simon@...soft.com>
> Subject: Re: HTTP AUTH BASIC monowall.
> Date: Mon, 13 Mar 2006 15:37:03 -0500
> Message-ID: <4415D7EF.7020905@...soft.com>
> References: <4415C97E.6030307@...soft.com> 
> <20060313194945.GB3298@...tinelchicken.org> 
> <a260a2190603131156u1642d587n2d325ec44e23b78a@...l.gmail.com>
>  <200603131204.19462.requiem@...etor.org>
> In-Reply-To: <200603131204.19462.requiem@...etor.org>
> -----------------------<snips>
>     So, I guess I've really answered my own question, perhaps I should
> release some sort of an advisory on all of these products that are using
> basic auth.
> -----------------------<quote>
>
>   To which my response was, to paraphrase, "No, perhaps you should not".
>
>   
>> Gee, you must have missed the entire thread... who said internet?
>>     
>
>   As the above demonstrates, I seem to have taken in more of it than you 
> have.
>
>   
>>>   There's nothing wrong with BASIC AUTH.
>>>
>>>       
>> Aside from the fact that its... um... insecure?
>>     
>
>   You don't seem to get the concept of security.
>
>   It's not an absolute, all-or-nothing.  It's a continuum.
>
>   It's meaningless to ask whether something is 'secure' or 'not secure' in 
> the abstract.  You can ask whether things are more or less secure, against 
> certain threats, under certain assumptions.  This applies to absolutely any 
> kind of anything, not just authentication, and not just basic auth.
>
>   Basic auth is highly secure when deployed correctly in a well-managed LAN. 
> It's a good match to a lot of the problems it is called on to solve.
>
>   It does not solve, and does not attempt to solve because that is not 
> within its remit, the problems that happen if your entire network 
> infrastructure is already owned from within.  Nor does any other sort of 
> authentication protocol.  In this, basic is no different from any other. 
> Some auth protocols may offer more or less security against some kinds of 
> compromises or others, but there's no general rule here.
>
>   
>> Well, you are a good example. You don't write very good emails and you
>> aren't very well aware of the entire email thread now are you?
>>     
>
>   You've already said this, and as I demonstrated, I'm more aware of it than 
> you are.
>
>   
>> I'll make it a point to not be as silly as you. ;]
>>     
>
>   You've certainly succeeded in not being *as* silly as me.  Next time, 
> though, try doing it by being /less/ silly than me!
>
>   
>>>     cheers,
>>>       DaveK
>>>
>>>       
>> AH you are from the UK, you said Cheers!
>>     
>
>   "Cheers" is/was an American TV show, isn't it?
>
>     cheers,
>       DaveK
>   
N

-- 


Regards, 
	Adriel T. Desautels
	Harvard Security Group
	http://www.harvardsecuritygroup.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ