[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] HTTP AUTH BASIC monowall.

To: Full-Disclosure <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] HTTP AUTH BASIC monowall.
From: Michael Holstein <michael.holstein@xxxxxxxxxxx>
Date: Mon, 13 Mar 2006 15:23:27 -0500

Does anyone else feel that using HTTP BASIC AUTH for a firewall is a
bad idea even if it is SSL'd. All basic auth does is creates a hash
string for username:password using base64. That can easily be reversed
and the real username and password extracted. Sure it's SSL but can't a
crafty attacker just create a proxy of sorts on a compromised network
and intercept the communications? Am I missing something here?


If it's Basic via SSL, then it's fine. Nobody will be able to intercept it.

It is possible to setup a MITM attack using SSL, but you've got to use aforged certificate and the browser will alert as to such. The problemthere lies in the fact that most users will blindly click "ok" to such adialouge.

You said this is a firewall box. Most "appliances" I've seen useself-signed SSL certs which don't validate anyway -- so you're ALREADYused to clicking "ok" on the warning. Therein lies the danger I suppose.


Cheers,

Michael Holstein CISSP GCIA
Cleveland State University

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] HTTP AUTH BASIC monowall.
  - From: Tim

References:
- [Full-disclosure] HTTP AUTH BASIC monowall.
  - From: Simon Smith

Prev by Date: Re: [Full-disclosure] HTTP AUTH BASIC monowall.
Next by Date: Re: [Full-disclosure] HTTP AUTH BASIC monowall.
Previous by thread: Re: [Full-disclosure] HTTP AUTH BASIC monowall.
Next by thread: Re: [Full-disclosure] HTTP AUTH BASIC monowall.
Index(es):
- Date
- Thread