On Wed, 15 Mar 2006 10:14:23 EST, Simon Smith said: > I think that we've lost focus of my original question. My question > refined is, does anyone else agree with me that using HTTP BASIC AUTH > for important applications is a security risk/vulnerability (regardless > of SSL)? Or, is everyone here telling me that they "feel safe" if the > connections are SSL'ed and are not worried that the HTTP BASIC AUTH is > only creating a base64 hash of their usernames and passwords that can > easily be reversed? My personal opinion, I feel like we're painting over > the rust on an old car... I don't feel like we're fixing the risks.
It's not bulletproof. There are holes. Having said that, remember two things: 1) Once you're doing BASIC over SSL, it requires a MITM attack. In most network configs, that means that the attacker needs to already control at least one *other* box on the wire. At that point, you have bigger problems. 2) BASIC AUTH over SSL isn't the weak point, especially if the source box is a Windows box with 57 different kinds of spyware and backdoors on it. If the endpoints aren't secure, you can't *really* secure the path between them. This is also why using SSL on your e-commerce site doesn't mean it's secure - it merely guarantees that the data isn't screwed with on its way to the server, where it will likely get dumped into a world-readable file for the benefit of the first guy to try anonymous FTP to the site because the FTP server doesn't chroot an anonymous connection....
pgp0UrRjrSEjU.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/