httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jose Correia (J)" <Corr...@telkom.co.za>
Subject RE: [users@httpd] Basic Autherntication
Date Thu, 31 Oct 2002 15:07:47 GMT
Hi Boyle

I don't think he was confused, he was aware that he wanted basic
authentication over a secure connection which is the combined option
you mentioned above and which provided its 128kbit encryption is more
than safe. He just wanted confirmation that this was indeed the case.
I just thought that since the consultant didn't mention doing Basic
Authentication over an SSL connection, he was quite rightly mentioning
that it wasn't safe.

Regards
Jose


-----Original Message-----
From: Boyle Owen [mailto:Owen.Boyle@swx.com]
Sent: 31 October 2002 16:57
To: users@httpd.apache.org
Subject: RE: [users@httpd] Basic Autherntication


You are confusing SSL with Basic Authentication. They are two
different
things...

Basic Authentication is the mechanism whereby you get a pop-up window
in
the browser and have to type in a password. This, as the consultant
says, is not very secure although he is not exactly correct when he
implies that the username and password are sent "en clair". 

What happens is that when a client requests a document from a
"protected" directory, the server replies with a 401 "Authorization
required". The browser then prompts the user. When the user types in
the
username and password, the browser combines these using a base64
encoding scheme to form a single string. It then sends this string in
an
"Authorization" header with every subsequent request to that
directory.
The encoded string is not hard to decode but it is not obvious to the
eye what the username and password is.

SSL is an entirely different mechanism. It is used to allow the client
and server to establish an encrypted communication channel through
which
all traffic flows. Depending on the cipher used, this is either very
secure or practically unbreakable. 

You can combine the two - i.e. have a password area on an SSL site. In
this case, the password goes through the SSL channel and so is
entirely
secure from snoopers. Note that on a SSL site, all HTTP traffic takes
place *under* SSL - i.e. the SSL channel is established before *any*
HTTP traffic takes place. This is the reason for the famous
"why-don't-my-name-based-virtual-hosts-work-under-SSL?" question which
pops up on this list with wearying frequency...

Rgds,

Owen Boyle.

-----Original Message-----
From: Jose Correia (J) [mailto:CorreiJ@telkom.co.za]
Sent: Donnerstag, 31. Oktober 2002 15:40
To: users@httpd.apache.org
Subject: RE: [users@httpd] Basic Autherntication


Hi Thomas

I'm under the same impression as you. The consultant though seems to
be talking about a non SSL-abled connection, in which case he would be
correct??

Regards
Jose

-----Original Message-----
From: Curley, Thomas [mailto:thomas.curley@euroconex.com]
Sent: 31 October 2002 16:33
To: users@httpd.apache.org
Subject: [users@httpd] Basic Autherntication


I would appreciate some comment on the following text was provided to
us by a security consultant wrt basic authentication to a MySql DB :-

"Although the password is stored on the server in encrypted format, it
is passed from the client to the server in plain text across the
network. Anyone listening with any variety of packet sniffer will be
able to read the username and password in the clear as it goes across.
Not only that, but note that the username and password are passed with
every request (taken care of by the browser), not just when the user
first types them in. So the packet sniffer need not be listening at a
particularly strategic time, but just for long enough to see any
single request come across the wire .Don't use basic authentication
for anything that requires real security."


I had though that once the 'Authentication dialog' (after I request a
secure URL) appears that an SSL session is established and that
effectively all transmission is via SSL - is this correct or is the
situation is that the SSL session is not initiated until after I am
authenticated ?


thanks

Thomas



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender
urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute,
print,
or copy any part of this message if you are not the intended
recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company. 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message