[Full-disclosure] HTTP AUTH BASIC monowall.



List,
Does anyone else feel that using HTTP BASIC AUTH for a firewall is a
bad idea even if it is SSL'd. All basic auth does is creates a hash
string for username:password using base64. That can easily be reversed
and the real username and password extracted. Sure it's SSL but can't a
crafty attacker just create a proxy of sorts on a compromised network
and intercept the communications? Am I missing something here?

--


Regards,
Simon


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • [Full-disclosure] Re: HTTP AUTH BASIC monowall.
    ... Does anyone else feel that using HTTP BASIC AUTH for a firewall is ... a crafty attacker just create a proxy of sorts on a compromised ... between you and your local network firewall. ...
    (Full-Disclosure)
  • Re: [Full-disclosure] HTTP AUTH BASIC monowall.
    ... does anyone else agree with me that using HTTP BASIC AUTH ... SSL is not a fix for the problem, SSL is just a way of evading the ... attacker is in a prime position to extort companies being managed by ...
    (Full-Disclosure)
  • Re: [Full-disclosure] HTTP AUTH BASIC monowall.
    ... does anyone else agree with me that using HTTP BASIC AUTH ... Once you're doing BASIC over SSL, ... endpoints aren't secure, you can't *really* secure the path between them. ...
    (Full-Disclosure)