Re: [Full-disclosure] HTTP AUTH BASIC monowall.

[Mark Coleman <securitylistgrok@xxxxxxxxxxxxx>]

At the risk of being flamed, I'll chime in with this since I don't think 
it's been mentioned as an alternative:

How about SecurID one-time passwords?  Ride the HTTP Auth on SSL which 
hides it all, and a Malcolm in the Middle attack just gets username/PIN 
and a one-time password (MitM gives ability to DoS lockout your account).

-Mark Coleman


gboyce wrote:
> Ok, so what's your alternative?
>
> You're already assuming that the user of the firewall is already 
> misusing SSL.  They need to blindly accept unsigned SSL certificates, 
> and changes to the certificates.  Just about any security restrictions 
> you can apply can be done away with if the user is incompetant enough.
>
> Some form of challenge response?  If you can already perform a man in 
> the middle attack, than challenge response is just as vulnerable.  
> Just connect to the server when the client hits you, and pass them the 
> challenge you recieved.  Use the credential yourself, and pass them a 
> failure.  When they try again, connect them to the server. 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/