Re: Apache AuthBasic

["Jon Mark Allen" <jonmark () allensonthe net>]

The content of the folder is a few static HTML pages.

The main security concern is confidentiality of the data.  There is no application or database.

My hands are tied in a number of areas here:

1) the site is hosted by a 3rd party, so I don't have real-time access to the log files to watch for brute-force attacks
1a) which obviously also means that my security is only as good as the web host's security; a fact I will just have to 
live with

2) PGP is not an option given the diversity and size of the audience that needs the info. (i.e. not all the receipiants 
have PGP and neither do I want to manage *all* their public keys)

3) the info is time critical and needs to be available ASAP (doesn't it always? :-? )

Taking the factors above into consideration, and with some of the responses to this list as well as an idea from an 
article on hardening .htaccess files, I think I've decided that my biggest security threat (aside from end users 
mishandling userids and passwords) is the brute force attack.

I do have access to PHP on this server and am writing a custom 401 error page that will email me the IP address of any 
client that fails to authenticate before displaying as generic an error message as I can send.  I suppose if I had time 
(and if I trusted my PHP coding abilities enough) I could write some authentication scripts in PHP to handle the 
security, but I think that would get very complicated very quickly and I'm not an expert PHP coder just yet :-)  So I 
think the built in Apache password challenge will suffice in this case.

Does this sound like a good plan?

This is still a bit new to me, but I think I'm getting somewhere.

Thanks again,

Jon Mark

> > > Miles Stevenson<miles () mstevenson org> 12/12/03 01:55:56 PM >>>
Hi Jon.

The best security you can have for your content completely depends on
what the content is (Static HTML page, text document, PHP web app, etc).
What is it that you are trying to secure?

SSL + Authbasic will provide you with good security while the web
traffic is in transit (provided by SSL), and it will provide you with a
medium level of authentication (user/pass). Do you have integrity
requirements as well? If this is a document, can you PGP encrypt it?
There are tons of possibilities here.

If this is an actual web application you are trying to protect, then it
becomes a whole different ballgame. The amount of security provided by
the application itself is a very big factor here, and things like secure
session ID's become a very important part of it. This can get very
complex, especially when a back-end database enters the picture.

So I'd have to ask you not only what it is that you are trying to
secure, but what are your security requirements when it comes to
confidentiality, integrity, and availability?

-Miles

On Fri, 2003-12-12 at 10:46, Jon Mark Allen wrote:
> I have a website with one particular folder I want to secure.
>
> I have setup SSL and Apache AuthBasic for that folder and all subfiles.
>
> My question is: does anyone know of any vulnerabilities or ways to crack/circumvent AuthBasic?
>
> So far, the only method I've found of breaking authBasic is to sniff the traffic to lift the username/password, but 
> I've tested that with the SSL and the username/password combo is passed after SSL has already been established.
>
> It is very important that this folder be as secure as I can make it.  Obviously, just being available on the web at 
> all reduces the overall security significantly, but I don't have a choice there. :-)
>
> Thanks for your help.
>
> Jon Mark
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------
-- 
Miles Stevenson
miles () mstevenson org

---------------------------------------------------------------------------
----------------------------------------------------------------------------