Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Intacct.com: Multiple bugs at financial services company
From: Aaron Bentley <abentley () PANORAMICFEEDBACK COM>
Date: Wed, 6 Sep 2000 13:23:43 -0400

On Wed, 6 Sep 2000, Chris L. Mason wrote:

I think there's a solution to this "problem" that is far too often
overlooked.  More sites simply need to start using HTTP Basic
Access Authentication.  This is the mechanism that causes those a "pop-up"
box to appear where the user must enter their username and password.

We use Basic Authenication on our site.  Here's some extra comments:

1. If you ask it to, Internet Explorer will cache the password indefinitely

2. The username is cached.  It's very tricky to allow users to change their
username without restarting their browser

3. Proxy servers can interfere with http authetication.  When your web site
doesn't work, they'll blame you, not themselves.

4. It's harder to detect dictionary attacks on your web site, since http auth
is usually handled at the server level, not the CGI level.


Aaron Bentley
Manager of Information Technology
PanoMetrics, Inc.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]