httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Ricker <bric...@wellinx.com>
Subject Re: [users@httpd] Is basic authentication secure
Date Thu, 31 Oct 2002 14:47:51 GMT
If the login page is encrypted through SSL, then the authentication info
is also encrypted. This is not COMPLETELY safe, since the encryption
level can be too small (for instance, 40bit encryption is sniffable; the
hacker must decrypt it using other tools but it can be done), someone
may still sniff the SSL encrypted data, crack the encryption, and get
the user data.

If you really want to protect the connection, force 128-bit encryption
from the client.

Ben Ricker
Wellinx.com

On Thu, 2002-10-31 at 08:38, Curley, Thomas wrote:
> I would appreciate some comment on the following text was provided to us by a security
consultant wrt basic authentication to a MySql DB :-
> 
> "Although the password is stored on the server in encrypted format, it is passed from
the client to the server in plain text across the network. Anyone listening with any variety
of packet sniffer will be able to read the username and password in the clear as it goes across.
Not only that, but note that the username and password are passed with every request (taken
care of by the browser), not just when the user first types them in. So the packet sniffer
need not be listening at a particularly strategic time, but just for long enough to see any
single request come across the wire .Don't use basic authentication for anything that requires
real security."
> 
> 
> I had though that once the 'Authentication dialog' (after I request a secure URL) appears
that an SSL session is established and that effectively all transmission is via SSL - is this
correct or is the situation is that the SSL session is not initiated until after I am authenticated
?
> 
> 
> thanks
> 
> Thomas
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message