| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu Mar 16 15:53:13 2006
From: simon at snosoft.com (Simon Smith)
Subject: HTTP AUTH BASIC monowall.
Mark,
Thats a good alternative. I'll add that to my list of options. Thanks!
Mark Coleman wrote:
> At the risk of being flamed, I'll chime in with this since I don't
> think it's been mentioned as an alternative:
>
> How about SecurID one-time passwords? Ride the HTTP Auth on SSL which
> hides it all, and a Malcolm in the Middle attack just gets
> username/PIN and a one-time password (MitM gives ability to DoS
> lockout your account).
>
> -Mark Coleman
>
>
> gboyce wrote:
>> Ok, so what's your alternative?
>>
>> You're already assuming that the user of the firewall is already
>> misusing SSL. They need to blindly accept unsigned SSL certificates,
>> and changes to the certificates. Just about any security
>> restrictions you can apply can be done away with if the user is
>> incompetant enough.
>>
>> Some form of challenge response? If you can already perform a man in
>> the middle attack, than challenge response is just as vulnerable.
>> Just connect to the server when the client hits you, and pass them
>> the challenge you recieved. Use the credential yourself, and pass
>> them a failure. When they try again, connect them to the server.
>
--
Regards,
Jackass
Powered by blists - more mailing lists