[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] HTTP AUTH BASIC monowall.
- To: "Felix Lindner" <fx@xxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] HTTP AUTH BASIC monowall.
- From: "Brian Eaton" <eaton.lists@xxxxxxxxx>
- Date: Fri, 17 Mar 2006 12:39:30 -0500
On 3/16/06, Felix Lindner <fx@xxxxxxxxxxxxxx> wrote:
> you may be looking for Digest Authentication:
> http://www.ietf.org/rfc/rfc2617.txt:
>
> "Like Basic, Digest access authentication verifies that both parties
> to a communication know a shared secret (a password); unlike Basic,
> this verification can be done without sending the password in the
> clear, which is Basic's biggest weakness. As with most other
> authentication protocols, the greatest sources of risks are usually
> found not in the core protocol itself but in policies and procedures
> surrounding its use."
Digest probably isn't a good answer to a MITM attack, because as far
as I can tell there is nothing stopping the MITM from downgrading to
BA.
I haven't actually tested this. Maybe the browsers have config
options to disable BA authentication, or at least give some kind of
visual indicator that the authentication is digest rather than basic.
- Brian
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/