[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] secure basic authentication

From: Jason Haar <Jason.Haar@xxxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] secure basic authentication
Date: Tue, 24 Jan 2006 15:24:55 +1300

Emilio Casbas wrote:
>    -basic authentication + SSL is secure only in the logon, but
>     due to HTTP´s stateless feature it will send the consecutive
> sensitive headers
>     in clear text.
>

Sorry - you've lost me there. Basic-over-SSL means what it says. It is a
HTTPS session over which Basic authentication occurs. It cannot be
"sniffed" in exactly the same way HTTPS cannot be sniffed. There is no
clear text.

It is more secure (from a network sniffer perspective) than any other
option - as there is even less information viewable.

>
>    -NTLM isn´t a standard in HTTP authentication scheme, and is insecure

I won't argue with that - but the  big problem with NTLM (in my book) is
that it isn't proxyable. That alone would make me use Basic-over-HTTPS
any day

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/

Follow-Ups:
- Re: [WEB SECURITY] secure basic authentication
  - From: Vincent Archer
- Re: [WEB SECURITY] secure basic authentication
  - From: Emilio Casbas

References:
- [WEB SECURITY] secure basic authentication
  - From: Emilio Casbas

Prev by Date: [WEB SECURITY] secure basic authentication
Next by Date: Re: [WEB SECURITY] secure basic authentication
Previous by thread: [WEB SECURITY] secure basic authentication
Next by thread: Re: [WEB SECURITY] secure basic authentication
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site