Full Disclosure mailing list archives

Re: HTTP AUTH BASIC monowall.


From: Simon Smith <simon () snosoft com>
Date: Mon, 13 Mar 2006 16:21:08 -0500

Ok,
    That or the auth mechanism does need to be changed.

Jeremy Bishop wrote:
On Monday 13 March 2006 12:37, you wrote:
  
List,
    SSL is not a fix for the problem, SSL is just a way of evading
the issue or hiding the hole. I can bypass SSL with a man in the
middle attack (which I've already done several times). Once I bypass
    

I'm assuming that this is using unsigned or otherwise invalid 
certificates, and relying on user ignorance or apathy to succeed.

  
    What is the solution to this problem? Is there a solution that
does not require a different auth type?
    

SSL.  (Done correctly.)

Any "solution" is likely to rely on public-key crypto and as such will 
require a similar mechanism for verifying identity.  If sufficiently 
widespread, apathy and ignorance will render it vulnerable to the exact 
same problems.

I suggest "password-authenticated key agreement" as a starting point for 
research outside the traditional public-key methods.  (Although, as far 
as I can tell, it would require the "password" to be accessible to the 
server so that the session can be set up.  IOW, you get around the 
problems of trusting a cert, but you're back to storing passwords in 
plaintext.)

Jeremy

  


-- 


Regards, 
        Adriel T. Desautels
        Harvard Security Group
        http://www.harvardsecuritygroup.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Current thread: