[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] HTTP AUTH BASIC monowall.
- To: Mark Coleman <securitylistgrok@xxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] HTTP AUTH BASIC monowall.
- From: Simon Smith <simon@xxxxxxxxxxx>
- Date: Thu, 16 Mar 2006 10:53:05 -0500
Mark,
Thats a good alternative. I'll add that to my list of options. Thanks!
Mark Coleman wrote:
> At the risk of being flamed, I'll chime in with this since I don't
> think it's been mentioned as an alternative:
>
> How about SecurID one-time passwords? Ride the HTTP Auth on SSL which
> hides it all, and a Malcolm in the Middle attack just gets
> username/PIN and a one-time password (MitM gives ability to DoS
> lockout your account).
>
> -Mark Coleman
>
>
> gboyce wrote:
>> Ok, so what's your alternative?
>>
>> You're already assuming that the user of the firewall is already
>> misusing SSL. They need to blindly accept unsigned SSL certificates,
>> and changes to the certificates. Just about any security
>> restrictions you can apply can be done away with if the user is
>> incompetant enough.
>>
>> Some form of challenge response? If you can already perform a man in
>> the middle attack, than challenge response is just as vulnerable.
>> Just connect to the server when the client hits you, and pass them
>> the challenge you recieved. Use the credential yourself, and pass
>> them a failure. When they try again, connect them to the server.
>
--
Regards,
Jackass
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/