[Full-disclosure] HTTP AUTH BASIC monowall.
- From: Simon Smith <simon@xxxxxxxxxxx>
- Date: Mon, 13 Mar 2006 14:35:26 -0500
List,
Does anyone else feel that using HTTP BASIC AUTH for a firewall is a
bad idea even if it is SSL'd. All basic auth does is creates a hash
string for username:password using base64. That can easily be reversed
and the real username and password extracted. Sure it's SSL but can't a
crafty attacker just create a proxy of sorts on a compromised network
and intercept the communications? Am I missing something here?
--
Regards,
Simon
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Follow-Ups:
- [Full-disclosure] Re: HTTP AUTH BASIC monowall.
- From: Dave Korn
- Re: [Full-disclosure] HTTP AUTH BASIC monowall.
- From: Michael Holstein
- Re: [Full-disclosure] HTTP AUTH BASIC monowall.
- From: Tim
- Re: [Full-disclosure] HTTP AUTH BASIC monowall.
- From: Matthijs van Otterdijk
- [Full-disclosure] Re: HTTP AUTH BASIC monowall.
- Prev by Date: [Full-disclosure] [SECURITY] [DSA 997-1] New bomberclone packages fix arbitrary code execution
- Next by Date: Re: [Full-disclosure] HTTP AUTH BASIC monowall.
- Previous by thread: [Full-disclosure] [SECURITY] [DSA 997-1] New bomberclone packages fix arbitrary code execution
- Next by thread: Re: [Full-disclosure] HTTP AUTH BASIC monowall.
- Index(es):
Relevant Pages
|
