Re: [Full-disclosure] HTTP AUTH BASIC monowall.



Jeremy,
Thanks for the input, I appreciate this a great deal!
Jeremy Bishop wrote:
On Thursday 16 March 2006 06:48, Simon Smith wrote:
<snip>

Encoding a username and password combination using base64 is not
secure, but, I understand why it is encoded in base64. Having said
that, I am trying to discover/create an alternate method for
authentication that is secure even if the SSL pipe is compromised. I


Pavel's link on SRP ( http://srp.stanford.edu/ ) is close to what you
might be looking for. (That is, a means of password-based
authentication over an untrusted medium.)


liked the idea of creating a secondary tunnel within the initial SSL
tunnel but I am not certain that it would be the best way to do it.


Either your secondary tunnel corrects the issues with the initial tunnel
or it does not. If it does there's no need to bother with SSL in the
first place. If it doesn't, you're still open to the exact same
attacks.

<more snippage>

once a LAN is penetrated. Providing an extra layer of security within
the SSL tunnel would help to prevent this tool and others like it
from being compromised so easily. My first thought was on how to
harden the authentication because the basic auth didn't cut it for
me. Thats what I am looking for ideas for.


If you secure the authentication alone, an attacker will simply
piggy-back on your existing session. E.g., you tell server A to
reboot, but by the time the command gets to the webserver it happens to
include a few extra commands.




--
Regards,
Jackass


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: SSL & Basic Authentication
    ... Basic over SSL directly fails all the points I listed, ... you want to have control of how authentication is ... you can control security from start to finish. ... "more" secure than no encryption. ...
    (microsoft.public.inetserver.iis.security)
  • Re: clients editing information w/o authentication--advice needed
    ... I completely concur that username/password authentication is the way to go. ... SSL, while the most secure, is not essential since there's no confidential ... I will "push back" with the client and tell them they'd be better off ...
    (comp.lang.php)
  • Re: SSL vs Windows Integrated Security
    ... ...the bottom line is that most everyone feel that forms auth and SSL ... are the best way to go on secured Internet App, ... as secure. ... Integrated Windows Authentication has the two common problems in ...
    (microsoft.public.inetserver.iis.security)
  • Re: [Full-disclosure] HTTP AUTH BASIC monowall.
    ... authentication that is secure even if the SSL pipe is compromised. ... Either your secondary tunnel corrects the issues with the initial tunnel ...
    (Full-Disclosure)
  • RE: RE: Telnet/SSL v SSH
    ... I suppose it depends on what you consider authentication. ... where the individual could have the correct certificate but not be the ... >I'm perplexed that you don't think SSL has authentication... ... it is very secure for that too. ...
    (Security-Basics)