Re: Secure basic authentication. Is it possible?
On Mon, 24 May 2004, [koi8-r] "Slivarez![koi8-r] " wrote: > Thank's for advise, but I need to make something clear to me. Main > problem with ncsa_auth is SNIFFERS, i.e. simply sniffer can get password > from TCP packet. Does digest helper allow to encrypt password before > transmiting it to a proxy (or how it works)? Digest never transmits the password over the wire. Digest uses secure one-time hashes on the wire, meaning that even if an attacker sniffs the wire traffic he can not use what is found, or at worst if the security level is set low reuse the information to only to login to the proxy for a short time after it was seen on the wire. It is still possible to use a dictionary attack on the secure hash to try to offline guess what the password is, but this requires a significant amount of CPU time in hash MD5 operations. Regards Henrik
Re: Secure basic authentication. Is it possible?
>Basic authentication is fundamentally insecure. If you need to secure it, then you >would have to >use a technique like SSL port-forwarding or IPsec encryption. That's what i'm talking about. >If your only goal is to protect the password exchanges then using Digest >authentication is an >lternative. Here I recommend the Digest helper from Squid-3.0 with Squid-2.5. The >digest helper from >Squid-3.0 is compatible with the htdigest Digest password hashing program from Apache >much in the same >manner that the ncsa_auth program is compatible with the htpasswd password hashign >program from Apache >(note to others: the ncsa_auth helper in Squid-3.0 also supports MD5 hashing, not >only crypt hashing) Thank's for advise, but I need to make something clear to me. Main problem with ncsa_auth is SNIFFERS, i.e. simply sniffer can get password from TCP packet. Does digest helper allow to encrypt password before transmiting it to a proxy (or how it works)?
Re: Secure basic authentication. Is it possible?
On Fri, 21 May 2004, [koi8-r] "Slivarez ![koi8-r] " wrote: > Hi, ALL. > > I'm using squid-2.5.STABLE5+basic_auth(ncsa_auth). BUT simply > Sniffer can get USERID and PASSWORD from tcp packets. Is there any > possibility to make basic authentication more secure? Basic authentication is fundamentally insecure. If you need to secure it, then you would have to use a technique like SSL port-forwarding or IPsec encryption. Duane W.
Secure basic authentication. Is it possible?
Hi, ALL. I'm using squid-2.5.STABLE5+basic_auth(ncsa_auth). BUT simply Sniffer can get USERID and PASSWORD from tcp packets. Is there any possibility to make basic authentication more secure? Thanks.