[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] secure basic authentication

From: Vincent Archer <varcher@xxxxxxxxxxx>
Subject: Re: [WEB SECURITY] secure basic authentication
Date: Tue, 24 Jan 2006 09:17:09 +0100

On Tue, Jan 24, 2006 at 03:24:55PM +1300, Jason Haar wrote:
> Emilio Casbas wrote:
> >    -basic authentication + SSL is secure only in the logon, but
> >     due to HTTP´s stateless feature it will send the consecutive
> > sensitive headers
> >     in clear text.
> >
> 
> Sorry - you've lost me there. Basic-over-SSL means what it says. It is a
> HTTPS session over which Basic authentication occurs. It cannot be
> "sniffed" in exactly the same way HTTPS cannot be sniffed. There is no
> clear text.

I suspect this is a mix-up between two authentication forms. Lots of
web apps perform their authentication on an https://... page, then revert
to standard http.

That's what happens when you use a token-based auth (whether the token
is kept as a cookie, or an invisible post argument, or whatever).

Basic auth + an SSL "login page" doesn't make sense. There's no login
page in basic auth - the browser performs the "login" locally upon seeing
the required status code in http. If you have https, then all your pages
are being protected. If you have http, none are. But there's no
SSL-protected logon page, unless you deliberately make a logon portal
which is the first page that requires basic auth, and you make this
an https://... link, which redirects you to http afterward. But that's
not a logon page, that's a portal. If you bypass the portal and directly
link to an "inner page", you still get to logon, you just never pass
the https stage.

Oh, and yes. If you're using Basic auth, you should require all your pages
to be protected using ssl. Unfortunately, if you have a non-ssl set of
pages that don't require auth, the browser will still happily send the
basic auth info while navigating these. In clear. So, if you're doing
a basic-authenticated site, I suggest that all authenticated pages are
on a separate virtual host that accepts only https. Your base site is
www.whatever.web, your authenticated part is auth.whatever.web for example.

-- 
Vincent ARCHER
varcher@xxxxxxxxxxx

Tel : +33 (0)1 40 07 49 96
Fax : +33 (0)1 40 07 47 27
Deny All - 23, rue Notre Dame des Victoires - 75002 Paris - France

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/

References:
- [WEB SECURITY] secure basic authentication
  - From: Emilio Casbas
- Re: [WEB SECURITY] secure basic authentication
  - From: Jason Haar

Prev by Date: Re: [WEB SECURITY] secure basic authentication
Next by Date: Re: [WEB SECURITY] secure basic authentication
Previous by thread: Re: [WEB SECURITY] secure basic authentication
Next by thread: Re: [WEB SECURITY] secure basic authentication
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site