Re: A more secure form of .htaccess?
On Fri, 2002-04-26 at 20:27, martin f krafft wrote: > never say impossible. Quite. Way too many people will click continue to all the "this certificate is not certified by anyone trusted" and "this certificate certifies a different site" warnings. Most people would click continue if their browser warned them the site wanted 8-bit encryption. signature.asc Description: This is a digitally signed message part
Re: A more secure form of .htaccess?
On Fri, 2002-04-26 at 20:27, martin f krafft wrote: > never say impossible. Quite. Way too many people will click continue to all the "this certificate is not certified by anyone trusted" and "this certificate certifies a different site" warnings. Most people would click continue if their browser warned them the site wanted 8-bit encryption. signature.asc Description: This is a digitally signed message part
Re: A more secure form of .htaccess?
Well, yes... you're right ! ** Never say impossible ** On Sat, 2002-04-27 at 02:27, martin f krafft wrote: > also sprach eim <[EMAIL PROTECTED]> [2002.04.26.1757 +0200]: > > With https data will be encripted and it's impossible to > > find out login and password because they're not sent over > > the net in a clear way. > > never say impossible. > > -- > martin; (greetings from the heart of the sun.) > \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] > > "crying is the refuge of plain women but the ruin of pretty ones." > -- oscar wilde -- »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« Ivo Marino[EMAIL PROTECTED] UN*X Developer, running Debian GNU/Linux irc.OpenProjects.net #debian http://eimbox.org/~eim http://eimbox.org »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: A more secure form of .htaccess?
Well, yes... you're right ! ** Never say impossible ** On Sat, 2002-04-27 at 02:27, martin f krafft wrote: > also sprach eim <[EMAIL PROTECTED]> [2002.04.26.1757 +0200]: > > With https data will be encripted and it's impossible to > > find out login and password because they're not sent over > > the net in a clear way. > > never say impossible. > > -- > martin; (greetings from the heart of the sun.) > \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck > > "crying is the refuge of plain women but the ruin of pretty ones." > -- oscar wilde -- »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« Ivo Marino[EMAIL PROTECTED] UN*X Developer, running Debian GNU/Linux irc.OpenProjects.net #debian http://eimbox.org/~eim http://eimbox.org »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: A more secure form of .htaccess?
also sprach Dan Faerch <[EMAIL PROTECTED]> [2002.04.27.2120 +0200]: > > you know their algorithm against MAC table overflow? > No i dont.. I would be very interrested in reading about it, if you know of > a link.. Im sure that it would be possible to enforce some level of > security.. it's quite simple. i don't have a link. but these switches clear out their MAC tables LRU style at a rate indirectly proportional to the space left. so if you manage to half the space left by MAC flooding, they'll clean out the tables twice as fast. if you manage to half the remaining space, they'll clean out four times as fast. there's very little chance that a you can fill those tables and make it enter hub mode. > It is correct that you can get switches that, one way or another, will try > to enforce the switching mode and thus, not reentering hub-mode.. Also the > locking mechanism some switches use, that locks the MAC/IP pair to a single > port is quite good, but rather annoying to work with in most office > enviroments (because of laptops and so forth).. aside from the fact that you can still change you MAC address at will... but yes, these are good for static environments only, but they aren't a security measure. `ifconfig eth0 hw ether 00:11:22:33:44:55` is all i have to say... switches are *not* a security measure, period. -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] "one should never trust a woman who tells her real age. if she tells that, she'll tell anything." -- oscar wilde pgpWiS72NUL0V.pgp Description: PGP signature
Re: A more secure form of .htaccess?
also sprach Dan Faerch <[EMAIL PROTECTED]> [2002.04.27.2120 +0200]: > > you know their algorithm against MAC table overflow? > No i dont.. I would be very interrested in reading about it, if you know of > a link.. Im sure that it would be possible to enforce some level of > security.. it's quite simple. i don't have a link. but these switches clear out their MAC tables LRU style at a rate indirectly proportional to the space left. so if you manage to half the space left by MAC flooding, they'll clean out the tables twice as fast. if you manage to half the remaining space, they'll clean out four times as fast. there's very little chance that a you can fill those tables and make it enter hub mode. > It is correct that you can get switches that, one way or another, will try > to enforce the switching mode and thus, not reentering hub-mode.. Also the > locking mechanism some switches use, that locks the MAC/IP pair to a single > port is quite good, but rather annoying to work with in most office > enviroments (because of laptops and so forth).. aside from the fact that you can still change you MAC address at will... but yes, these are good for static environments only, but they aren't a security measure. `ifconfig eth0 hw ether 00:11:22:33:44:55` is all i have to say... switches are *not* a security measure, period. -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck "one should never trust a woman who tells her real age. if she tells that, she'll tell anything." -- oscar wilde msg06516/pgp0.pgp Description: PGP signature
Re: A more secure form of .htaccess?
Gareth Bowker wrote: >If someone's already logged in, and they visit a webpage on the same domain >which asks for a username and password for the same realm as the one used to >log in, the browser will send the username/password pair without asking the >user for any confirmation. >At least I assume that's what Dan meant above and I assume that that would >happen (I haven't tried it myself). Yep... Thats what i meant... The browser will retransmit the username and password with every request while youre roaming the same realm.. All you'd have to do is make a page identify itself with the same realm-name and then log the username and password. Martin wrote (on the subject of switches): > you know their algorithm against MAC table overflow? No i dont.. I would be very interrested in reading about it, if you know of a link.. Im sure that it would be possible to enforce some level of security.. It is correct that you can get switches that, one way or another, will try to enforce the switching mode and thus, not reentering hub-mode.. Also the locking mechanism some switches use, that locks the MAC/IP pair to a single port is quite good, but rather annoying to work with in most office enviroments (because of laptops and so forth).. And most systemadministrators doesnt know how theese are enabled or simply never knew they existed. Theese security measures are therefore often not enabled or manually disabled for convenience. And then there is the matter of the price ;) - Dan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: A more secure form of .htaccess?
Gareth Bowker wrote: >If someone's already logged in, and they visit a webpage on the same domain >which asks for a username and password for the same realm as the one used to >log in, the browser will send the username/password pair without asking the >user for any confirmation. >At least I assume that's what Dan meant above and I assume that that would >happen (I haven't tried it myself). Yep... Thats what i meant... The browser will retransmit the username and password with every request while youre roaming the same realm.. All you'd have to do is make a page identify itself with the same realm-name and then log the username and password. Martin wrote (on the subject of switches): > you know their algorithm against MAC table overflow? No i dont.. I would be very interrested in reading about it, if you know of a link.. Im sure that it would be possible to enforce some level of security.. It is correct that you can get switches that, one way or another, will try to enforce the switching mode and thus, not reentering hub-mode.. Also the locking mechanism some switches use, that locks the MAC/IP pair to a single port is quite good, but rather annoying to work with in most office enviroments (because of laptops and so forth).. And most systemadministrators doesnt know how theese are enabled or simply never knew they existed. Theese security measures are therefore often not enabled or manually disabled for convenience. And then there is the matter of the price ;) - Dan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: A more secure form of .htaccess?
Steve Mickeler wrote: > > Trust not in switches. > > They too can be easily manipulated unless you have locked them down at a > mac address and port level. > > 'apt-get install dsniff' ; 'man arpspoof' Of course, which is one of the things I had in mind when I said: > > topology. Switches tend not to allow other nodes on a network to see and: > > sniffed off the network. That is, of course, if the network was designed > > with that in mind. Dan Faerch wrote: > The subject on switches.. It is a general misunderstanding that switches > provide security.. There are several easy tricks to make a switch spill its > guts.. They were designed for performance and no one ever promised security > :) Cisco, in fact does promise security when using thier switches. Well, most of thier switches. But I do agree that they are designed with security as an other-than-primary goal. However, they can provide a layer of abstraction, to help prevent sniffing. wheee. -Will Wesley, CCNA "Cheer up! Things are getting worse at a slower rate." -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: A more secure form of .htaccess?
On Sat, Apr 27, 2002 at 03:32:45AM +0200, martin f krafft wrote: > also sprach Dan Faerch <[EMAIL PROTECTED]> [2002.04.26.1955 +0200]: > > Second more, if your users are allowed to have pages on the same > > address as the login system, the browser can, without much effort, > > be tricked into giving away your systems username and password to > > a personal user page... > > how? Take a look at http://www.php.net/manual/ro/features.http-auth.php If someone's already logged in, and they visit a webpage on the same domain which asks for a username and password for the same realm as the one used to log in, the browser will send the username/password pair without asking the user for any confirmation. At least I assume that's what Dan meant above and I assume that that would happen (I haven't tried it myself). Gareth -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: A more secure form of .htaccess?
Steve Mickeler wrote: > > Trust not in switches. > > They too can be easily manipulated unless you have locked them down at a > mac address and port level. > > 'apt-get install dsniff' ; 'man arpspoof' Of course, which is one of the things I had in mind when I said: > > topology. Switches tend not to allow other nodes on a network to see and: > > sniffed off the network. That is, of course, if the network was designed > > with that in mind. Dan Faerch wrote: > The subject on switches.. It is a general misunderstanding that switches > provide security.. There are several easy tricks to make a switch spill its > guts.. They were designed for performance and no one ever promised security > :) Cisco, in fact does promise security when using thier switches. Well, most of thier switches. But I do agree that they are designed with security as an other-than-primary goal. However, they can provide a layer of abstraction, to help prevent sniffing. wheee. -Will Wesley, CCNA "Cheer up! Things are getting worse at a slower rate." -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: A more secure form of .htaccess?
On Sat, Apr 27, 2002 at 03:32:45AM +0200, martin f krafft wrote: > also sprach Dan Faerch <[EMAIL PROTECTED]> [2002.04.26.1955 +0200]: > > Second more, if your users are allowed to have pages on the same > > address as the login system, the browser can, without much effort, > > be tricked into giving away your systems username and password to > > a personal user page... > > how? Take a look at http://www.php.net/manual/ro/features.http-auth.php If someone's already logged in, and they visit a webpage on the same domain which asks for a username and password for the same realm as the one used to log in, the browser will send the username/password pair without asking the user for any confirmation. At least I assume that's what Dan meant above and I assume that that would happen (I haven't tried it myself). Gareth -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: A more secure form of .htaccess?
also sprach Dan Faerch <[EMAIL PROTECTED]> [2002.04.26.1955 +0200]: > Second more, if your users are allowed to have pages on the same > address as the login system, the browser can, without much effort, > be tricked into giving away your systems username and password to > a personal user page... how? > The subject on switches.. It is a general misunderstanding that > switches provide security.. There are several easy tricks to make > a switch spill its guts.. They were designed for performance and no > one ever promised security true, and i love this one because it's the first thing everyone says in response to hearing something said on 'sniffing'. uhm, every previously not so exposed person as we are, i mean. but have you tried your luck on one of the better cisco and hewlett-packard switches? you know their algorithm against MAC table overflow? if yes, then just think about it, and about how good it is. -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] "micro$oft productivity software" - see reductio ad absurdum, conclusions. pgpO7L5yHkmrY.pgp Description: PGP signature
Re: A more secure form of .htaccess?
also sprach eim <[EMAIL PROTECTED]> [2002.04.26.1757 +0200]: > With https data will be encripted and it's impossible to > find out login and password because they're not sent over > the net in a clear way. never say impossible. -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] "crying is the refuge of plain women but the ruin of pretty ones." -- oscar wilde pgpayMVTHVbHF.pgp Description: PGP signature
Re: A more secure form of .htaccess?
On Fri, Apr 26, 2002 at 07:55:06PM +0200, Dan Faerch wrote: > You should be aware, that when you use normal .htaccess protection, > browser never logout..With eg. Internet Explorer, all intances of IE > have to be closed to make the browser forget the login.. Actually, I think instances of IE that were each run from the desktop or quicklaunch bar don't share authentication info. At least this has been my experience with IE4 and 5.x. However, if you use File / New to start a new window, that window will share authentication info with the parent. -- Mike Renfro / R&D Engineer, Center for Manufacturing Research, 931 372-3601 / Tennessee Technological University -- [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: A more secure form of .htaccess?
also sprach Dan Faerch <[EMAIL PROTECTED]> [2002.04.26.1955 +0200]: > Second more, if your users are allowed to have pages on the same > address as the login system, the browser can, without much effort, > be tricked into giving away your systems username and password to > a personal user page... how? > The subject on switches.. It is a general misunderstanding that > switches provide security.. There are several easy tricks to make > a switch spill its guts.. They were designed for performance and no > one ever promised security true, and i love this one because it's the first thing everyone says in response to hearing something said on 'sniffing'. uhm, every previously not so exposed person as we are, i mean. but have you tried your luck on one of the better cisco and hewlett-packard switches? you know their algorithm against MAC table overflow? if yes, then just think about it, and about how good it is. -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck "micro$oft productivity software" - see reductio ad absurdum, conclusions. msg06509/pgp0.pgp Description: PGP signature
Re: A more secure form of .htaccess?
also sprach eim <[EMAIL PROTECTED]> [2002.04.26.1757 +0200]: > With https data will be encripted and it's impossible to > find out login and password because they're not sent over > the net in a clear way. never say impossible. -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck "crying is the refuge of plain women but the ruin of pretty ones." -- oscar wilde msg06507/pgp0.pgp Description: PGP signature
Re: A more secure form of .htaccess?
On Fri, Apr 26, 2002 at 07:55:06PM +0200, Dan Faerch wrote: > You should be aware, that when you use normal .htaccess protection, > browser never logout..With eg. Internet Explorer, all intances of IE > have to be closed to make the browser forget the login.. Actually, I think instances of IE that were each run from the desktop or quicklaunch bar don't share authentication info. At least this has been my experience with IE4 and 5.x. However, if you use File / New to start a new window, that window will share authentication info with the parent. -- Mike Renfro / R&D Engineer, Center for Manufacturing Research, 931 372-3601 / Tennessee Technological University -- [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: A more secure form of .htaccess?
Htaccess: --- You should be aware, that when you use normal .htaccess protection, browser never logout..With eg. Internet Explorer, all intances of IE have to be closed to make the browser forget the login.. There are several tricks to make the browser forget the login, but none really secure.. One is to make a logout link that links to eg. https://logout:[EMAIL PROTECTED]/logout In the "logout" folder you make a new htaccess file that uses another htpassword file which contains a user called logout with a password called logout, but keeping the same REALM.. (the realm is importent).. This rewrite's the browser credentials for your realm with username and password "logout".. (Make sure users in /logout have no vital access offcourse) The hard part is to get ppl to use the logout link and not just closing the instance of the browser.. Second more, if your users are allowed to have pages on the same address as the login system, the browser can, without much effort, be tricked into giving away your systems username and password to a personal user page... Switches: The subject on switches.. It is a general misunderstanding that switches provide security.. There are several easy tricks to make a switch spill its guts.. They were designed for performance and no one ever promised security :) SSL: --- No you do not need to purchase a certificate.. Simply generate your own.. Yet, in an enviroment where users share the same pc, security is hard to achive (i am assuming that youre runnig a windows enviroment), since varios keyloggers can be installed on the clients, you have access to the cache and the cookies. On this i have no wonderous advise :).. (i didnt follow the thread, only the content of this mail, so i hope im not repeating anything already said) - Dan Faerch A/S ScanNet (Denmark) - Original Message - From: "eim" <[EMAIL PROTECTED]> To: "Schusselig Brane" <[EMAIL PROTECTED]> Cc: Sent: Friday, April 26, 2002 5:57 PM Subject: Re: A more secure form of .htaccess? > Hallo Brane, > > I'm actually a K-13 student, and so in my 'strategic' > position I'm on both sides, admin of debian box and 3v1l cracker :) > > No, well.. I was just kidding, I have really better things to > do than actually cracking Debian boxes in pubblic environments, > but anyway I what do you think about using https for .htaccess > authentication ? > > With https data will be encripted and it's impossible to > find out login and password because they're not sent over > the net in a clear way. > > Consider using https. > > Good work and protect your boxes ! > > - Ivo > > On Thu, Apr 25, 2002 at 09:09:03PM -0600, Schusselig Brane wrote: > > Tom Dominico wrote: > > > > > > Hello all, > > > > > > I have written some php-based internal systems for our users. Users are > > > required to authenticate to access this system, and their login > > > determines what they are allowed to do within the system. I am > > > concerned that their logging in with cleartext passwords is a security > > > risk. I work in a K-12 school enviroment, and many of these students > > > are rather devious and resourceful (as I was at that age :) ). My fear > > > is some bright student setting a sniffer up on my network and gleaning > > > passwords from it. > > > > > > I am wondering if any of you have had similar problems. What is a more > > > secure way for people to login? Is SSL an option, and if so, how do I > > > go about using it? Do I have to purchase a certificate? Or is there > > > some other option? Finally, should I be using .htaccess at all, or is > > > there a better way? Thank you in advance for your advice. > > > > Another option would be to run switches instead of normal hub or bus > > topology. Switches tend not to allow other nodes on a network to see > > data that is passing over it. However, it will more than likely prove to > > be a PITA to convince budget makers to allow the expense of the new > > equipment. > > > > Useless input, I know. But, I didn't see anyone else mention this. As a > > side note, if your installation is new enough, switches may already be > > in place, and you don't have much to worry about as far as stuff getting > > sniffed off the network. That is, of course, if the network was designed > > with that in mind. > > > > -Will Wesley, CCNA > > To make tax forms true they should read "Income Owed Us" and "Incommode > > You". > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: A more secure form of .htaccess?
Htaccess: --- You should be aware, that when you use normal .htaccess protection, browser never logout..With eg. Internet Explorer, all intances of IE have to be closed to make the browser forget the login.. There are several tricks to make the browser forget the login, but none really secure.. One is to make a logout link that links to eg. https://logout:[EMAIL PROTECTED]/logout In the "logout" folder you make a new htaccess file that uses another htpassword file which contains a user called logout with a password called logout, but keeping the same REALM.. (the realm is importent).. This rewrite's the browser credentials for your realm with username and password "logout".. (Make sure users in /logout have no vital access offcourse) The hard part is to get ppl to use the logout link and not just closing the instance of the browser.. Second more, if your users are allowed to have pages on the same address as the login system, the browser can, without much effort, be tricked into giving away your systems username and password to a personal user page... Switches: The subject on switches.. It is a general misunderstanding that switches provide security.. There are several easy tricks to make a switch spill its guts.. They were designed for performance and no one ever promised security :) SSL: --- No you do not need to purchase a certificate.. Simply generate your own.. Yet, in an enviroment where users share the same pc, security is hard to achive (i am assuming that youre runnig a windows enviroment), since varios keyloggers can be installed on the clients, you have access to the cache and the cookies. On this i have no wonderous advise :).. (i didnt follow the thread, only the content of this mail, so i hope im not repeating anything already said) - Dan Faerch A/S ScanNet (Denmark) - Original Message - From: "eim" <[EMAIL PROTECTED]> To: "Schusselig Brane" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Friday, April 26, 2002 5:57 PM Subject: Re: A more secure form of .htaccess? > Hallo Brane, > > I'm actually a K-13 student, and so in my 'strategic' > position I'm on both sides, admin of debian box and 3v1l cracker :) > > No, well.. I was just kidding, I have really better things to > do than actually cracking Debian boxes in pubblic environments, > but anyway I what do you think about using https for .htaccess > authentication ? > > With https data will be encripted and it's impossible to > find out login and password because they're not sent over > the net in a clear way. > > Consider using https. > > Good work and protect your boxes ! > > - Ivo > > On Thu, Apr 25, 2002 at 09:09:03PM -0600, Schusselig Brane wrote: > > Tom Dominico wrote: > > > > > > Hello all, > > > > > > I have written some php-based internal systems for our users. Users are > > > required to authenticate to access this system, and their login > > > determines what they are allowed to do within the system. I am > > > concerned that their logging in with cleartext passwords is a security > > > risk. I work in a K-12 school enviroment, and many of these students > > > are rather devious and resourceful (as I was at that age :) ). My fear > > > is some bright student setting a sniffer up on my network and gleaning > > > passwords from it. > > > > > > I am wondering if any of you have had similar problems. What is a more > > > secure way for people to login? Is SSL an option, and if so, how do I > > > go about using it? Do I have to purchase a certificate? Or is there > > > some other option? Finally, should I be using .htaccess at all, or is > > > there a better way? Thank you in advance for your advice. > > > > Another option would be to run switches instead of normal hub or bus > > topology. Switches tend not to allow other nodes on a network to see > > data that is passing over it. However, it will more than likely prove to > > be a PITA to convince budget makers to allow the expense of the new > > equipment. > > > > Useless input, I know. But, I didn't see anyone else mention this. As a > > side note, if your installation is new enough, switches may already be > > in place, and you don't have much to worry about as far as stuff getting > > sniffed off the network. That is, of course, if the network was designed > > with that in mind. > > > > -Will Wesley, CCNA > > To make tax forms true they should read "Income Owed Us" and "Incommode > > You". > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: A more secure form of .htaccess?
Hallo Brane, I'm actually a K-13 student, and so in my 'strategic' position I'm on both sides, admin of debian box and 3v1l cracker :) No, well.. I was just kidding, I have really better things to do than actually cracking Debian boxes in pubblic environments, but anyway I what do you think about using https for .htaccess authentication ? With https data will be encripted and it's impossible to find out login and password because they're not sent over the net in a clear way. Consider using https. Good work and protect your boxes ! - Ivo On Thu, Apr 25, 2002 at 09:09:03PM -0600, Schusselig Brane wrote: > Tom Dominico wrote: > > > > Hello all, > > > > I have written some php-based internal systems for our users. Users are > > required to authenticate to access this system, and their login > > determines what they are allowed to do within the system. I am > > concerned that their logging in with cleartext passwords is a security > > risk. I work in a K-12 school enviroment, and many of these students > > are rather devious and resourceful (as I was at that age :) ). My fear > > is some bright student setting a sniffer up on my network and gleaning > > passwords from it. > > > > I am wondering if any of you have had similar problems. What is a more > > secure way for people to login? Is SSL an option, and if so, how do I > > go about using it? Do I have to purchase a certificate? Or is there > > some other option? Finally, should I be using .htaccess at all, or is > > there a better way? Thank you in advance for your advice. > > Another option would be to run switches instead of normal hub or bus > topology. Switches tend not to allow other nodes on a network to see > data that is passing over it. However, it will more than likely prove to > be a PITA to convince budget makers to allow the expense of the new > equipment. > > Useless input, I know. But, I didn't see anyone else mention this. As a > side note, if your installation is new enough, switches may already be > in place, and you don't have much to worry about as far as stuff getting > sniffed off the network. That is, of course, if the network was designed > with that in mind. > > -Will Wesley, CCNA > To make tax forms true they should read "Income Owed Us" and "Incommode > You". > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: A more secure form of .htaccess?
Hallo Brane, I'm actually a K-13 student, and so in my 'strategic' position I'm on both sides, admin of debian box and 3v1l cracker :) No, well.. I was just kidding, I have really better things to do than actually cracking Debian boxes in pubblic environments, but anyway I what do you think about using https for .htaccess authentication ? With https data will be encripted and it's impossible to find out login and password because they're not sent over the net in a clear way. Consider using https. Good work and protect your boxes ! - Ivo On Thu, Apr 25, 2002 at 09:09:03PM -0600, Schusselig Brane wrote: > Tom Dominico wrote: > > > > Hello all, > > > > I have written some php-based internal systems for our users. Users are > > required to authenticate to access this system, and their login > > determines what they are allowed to do within the system. I am > > concerned that their logging in with cleartext passwords is a security > > risk. I work in a K-12 school enviroment, and many of these students > > are rather devious and resourceful (as I was at that age :) ). My fear > > is some bright student setting a sniffer up on my network and gleaning > > passwords from it. > > > > I am wondering if any of you have had similar problems. What is a more > > secure way for people to login? Is SSL an option, and if so, how do I > > go about using it? Do I have to purchase a certificate? Or is there > > some other option? Finally, should I be using .htaccess at all, or is > > there a better way? Thank you in advance for your advice. > > Another option would be to run switches instead of normal hub or bus > topology. Switches tend not to allow other nodes on a network to see > data that is passing over it. However, it will more than likely prove to > be a PITA to convince budget makers to allow the expense of the new > equipment. > > Useless input, I know. But, I didn't see anyone else mention this. As a > side note, if your installation is new enough, switches may already be > in place, and you don't have much to worry about as far as stuff getting > sniffed off the network. That is, of course, if the network was designed > with that in mind. > > -Will Wesley, CCNA > To make tax forms true they should read "Income Owed Us" and "Incommode > You". > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: A more secure form of .htaccess?
Trust not in switches. They too can be easily manipulated unless you have locked them down at a mac address and port level. 'apt-get install dsniff' ; 'man arpspoof' > Another option would be to run switches instead of normal hub or bus > topology. Switches tend not to allow other nodes on a network to see > data that is passing over it. However, it will more than likely prove to > be a PITA to convince budget makers to allow the expense of the new > equipment. > > Useless input, I know. But, I didn't see anyone else mention this. As a > side note, if your installation is new enough, switches may already be > in place, and you don't have much to worry about as far as stuff getting > sniffed off the network. That is, of course, if the network was designed > with that in mind. > > -Will Wesley, CCNA > To make tax forms true they should read "Income Owed Us" and "Incommode > You". > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > [-] Steve Mickeler [ [EMAIL PROTECTED] ] [|] Todays root password is brought to you by /dev/random [+] 1024D/ACB58D4F = 0227 164B D680 9E13 9168 AE28 843F 57D7 ACB5 8D4F -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: A more secure form of .htaccess?
Tom Dominico wrote: > > Hello all, > > I have written some php-based internal systems for our users. Users are > required to authenticate to access this system, and their login > determines what they are allowed to do within the system. I am > concerned that their logging in with cleartext passwords is a security > risk. I work in a K-12 school enviroment, and many of these students > are rather devious and resourceful (as I was at that age :) ). My fear > is some bright student setting a sniffer up on my network and gleaning > passwords from it. > > I am wondering if any of you have had similar problems. What is a more > secure way for people to login? Is SSL an option, and if so, how do I > go about using it? Do I have to purchase a certificate? Or is there > some other option? Finally, should I be using .htaccess at all, or is > there a better way? Thank you in advance for your advice. Another option would be to run switches instead of normal hub or bus topology. Switches tend not to allow other nodes on a network to see data that is passing over it. However, it will more than likely prove to be a PITA to convince budget makers to allow the expense of the new equipment. Useless input, I know. But, I didn't see anyone else mention this. As a side note, if your installation is new enough, switches may already be in place, and you don't have much to worry about as far as stuff getting sniffed off the network. That is, of course, if the network was designed with that in mind. -Will Wesley, CCNA To make tax forms true they should read "Income Owed Us" and "Incommode You". -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: A more secure form of .htaccess?
Trust not in switches. They too can be easily manipulated unless you have locked them down at a mac address and port level. 'apt-get install dsniff' ; 'man arpspoof' > Another option would be to run switches instead of normal hub or bus > topology. Switches tend not to allow other nodes on a network to see > data that is passing over it. However, it will more than likely prove to > be a PITA to convince budget makers to allow the expense of the new > equipment. > > Useless input, I know. But, I didn't see anyone else mention this. As a > side note, if your installation is new enough, switches may already be > in place, and you don't have much to worry about as far as stuff getting > sniffed off the network. That is, of course, if the network was designed > with that in mind. > > -Will Wesley, CCNA > To make tax forms true they should read "Income Owed Us" and "Incommode > You". > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > [-] Steve Mickeler [ [EMAIL PROTECTED] ] [|] Todays root password is brought to you by /dev/random [+] 1024D/ACB58D4F = 0227 164B D680 9E13 9168 AE28 843F 57D7 ACB5 8D4F -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: A more secure form of .htaccess?
Tom Dominico wrote: > > Hello all, > > I have written some php-based internal systems for our users. Users are > required to authenticate to access this system, and their login > determines what they are allowed to do within the system. I am > concerned that their logging in with cleartext passwords is a security > risk. I work in a K-12 school enviroment, and many of these students > are rather devious and resourceful (as I was at that age :) ). My fear > is some bright student setting a sniffer up on my network and gleaning > passwords from it. > > I am wondering if any of you have had similar problems. What is a more > secure way for people to login? Is SSL an option, and if so, how do I > go about using it? Do I have to purchase a certificate? Or is there > some other option? Finally, should I be using .htaccess at all, or is > there a better way? Thank you in advance for your advice. Another option would be to run switches instead of normal hub or bus topology. Switches tend not to allow other nodes on a network to see data that is passing over it. However, it will more than likely prove to be a PITA to convince budget makers to allow the expense of the new equipment. Useless input, I know. But, I didn't see anyone else mention this. As a side note, if your installation is new enough, switches may already be in place, and you don't have much to worry about as far as stuff getting sniffed off the network. That is, of course, if the network was designed with that in mind. -Will Wesley, CCNA To make tax forms true they should read "Income Owed Us" and "Incommode You". -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: A more secure form of .htaccess?
You might want to take a look at using digest authentication, which sends a MD5 digest of the pasword instead of the actual password. http://httpd.apache.org/docs/howto/auth.html > I have written some php-based internal systems for our users. Users are > required to authenticate to access this system, and their login > determines what they are allowed to do within the system. I am > concerned that their logging in with cleartext passwords is a security > risk. I work in a K-12 school enviroment, and many of these students > are rather devious and resourceful (as I was at that age :) ). My fear > is some bright student setting a sniffer up on my network and gleaning > passwords from it. > > I am wondering if any of you have had similar problems. What is a more > secure way for people to login? Is SSL an option, and if so, how do I > go about using it? Do I have to purchase a certificate? Or is there > some other option? Finally, should I be using .htaccess at all, or is > there a better way? Thank you in advance for your advice. -- --SupplyEdge--- Greg Hunt 800-733-3380 x 107 [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: A more secure form of .htaccess?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > I am wondering if any of you have had similar problems. What is a more > secure way for people to login? Is SSL an option, and if so, how do I > go about using it? Do I have to purchase a certificate? Or is there > some other option? Finally, should I be using .htaccess at all, or is > there a better way? Thank you in advance for your advice. You will run into this problem with just about all forms of authentication. You *can* generate a self signed certificate for free, however, most web browsers will pop up a warning saying the certificate cannot be verified. If you had some way of forcing all browsers in the building to accept it, then no one would be any the wiser. There is a HOWTO on Apache and SSL that explains how to do this. The .htaccess method is not a terrible method, assuming people dont have general access to the files (they are on a server they dont have access to, or permissions on the files are set up so that no one has access to them). Some say this is a better method than using generated forms, because of its ease of administration, however the problem is with logging out. The authentication method has no way of really logging out, and there is not a real standard. Most (but not all) browsers will reset authentication when they reach a 404 in the realm they are logged in to. So it depends on the application. Jay -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8xHHlkrX4GRLrvwgRAsyzAKCJMlW2Nfzlu0SslJtIiX5OxVzTsQCdEASJ 5Av1BlRsHsJQLC5xVC2Ffz0= =fquZ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
A more secure form of .htaccess?
Hello all, I have written some php-based internal systems for our users. Users are required to authenticate to access this system, and their login determines what they are allowed to do within the system. I am concerned that their logging in with cleartext passwords is a security risk. I work in a K-12 school enviroment, and many of these students are rather devious and resourceful (as I was at that age :) ). My fear is some bright student setting a sniffer up on my network and gleaning passwords from it. I am wondering if any of you have had similar problems. What is a more secure way for people to login? Is SSL an option, and if so, how do I go about using it? Do I have to purchase a certificate? Or is there some other option? Finally, should I be using .htaccess at all, or is there a better way? Thank you in advance for your advice. Tom Dominico Technology Coordinator Parlier Unified School District -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: A more secure form of .htaccess?
You might want to take a look at using digest authentication, which sends a MD5 digest of the pasword instead of the actual password. http://httpd.apache.org/docs/howto/auth.html > I have written some php-based internal systems for our users. Users are > required to authenticate to access this system, and their login > determines what they are allowed to do within the system. I am > concerned that their logging in with cleartext passwords is a security > risk. I work in a K-12 school enviroment, and many of these students > are rather devious and resourceful (as I was at that age :) ). My fear > is some bright student setting a sniffer up on my network and gleaning > passwords from it. > > I am wondering if any of you have had similar problems. What is a more > secure way for people to login? Is SSL an option, and if so, how do I > go about using it? Do I have to purchase a certificate? Or is there > some other option? Finally, should I be using .htaccess at all, or is > there a better way? Thank you in advance for your advice. -- --SupplyEdge--- Greg Hunt 800-733-3380 x 107 [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: A more secure form of .htaccess?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > I am wondering if any of you have had similar problems. What is a more > secure way for people to login? Is SSL an option, and if so, how do I > go about using it? Do I have to purchase a certificate? Or is there > some other option? Finally, should I be using .htaccess at all, or is > there a better way? Thank you in advance for your advice. You will run into this problem with just about all forms of authentication. You *can* generate a self signed certificate for free, however, most web browsers will pop up a warning saying the certificate cannot be verified. If you had some way of forcing all browsers in the building to accept it, then no one would be any the wiser. There is a HOWTO on Apache and SSL that explains how to do this. The .htaccess method is not a terrible method, assuming people dont have general access to the files (they are on a server they dont have access to, or permissions on the files are set up so that no one has access to them). Some say this is a better method than using generated forms, because of its ease of administration, however the problem is with logging out. The authentication method has no way of really logging out, and there is not a real standard. Most (but not all) browsers will reset authentication when they reach a 404 in the realm they are logged in to. So it depends on the application. Jay -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8xHHlkrX4GRLrvwgRAsyzAKCJMlW2Nfzlu0SslJtIiX5OxVzTsQCdEASJ 5Av1BlRsHsJQLC5xVC2Ffz0= =fquZ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
A more secure form of .htaccess?
Hello all, I have written some php-based internal systems for our users. Users are required to authenticate to access this system, and their login determines what they are allowed to do within the system. I am concerned that their logging in with cleartext passwords is a security risk. I work in a K-12 school enviroment, and many of these students are rather devious and resourceful (as I was at that age :) ). My fear is some bright student setting a sniffer up on my network and gleaning passwords from it. I am wondering if any of you have had similar problems. What is a more secure way for people to login? Is SSL an option, and if so, how do I go about using it? Do I have to purchase a certificate? Or is there some other option? Finally, should I be using .htaccess at all, or is there a better way? Thank you in advance for your advice. Tom Dominico Technology Coordinator Parlier Unified School District -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
