[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] secure basic authentication
- From: Emilio Casbas <ecasbas@xxxxxxx>
- Subject: Re: [WEB SECURITY] secure basic authentication
- Date: Tue, 24 Jan 2006 12:17:44 +0100
--------------ms020504030601070802070105
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Jason Haar wrote:
>Emilio Casbas wrote:
>
>
>> -basic authentication + SSL is secure only in the logon, but
>> due to HTTPīs stateless feature it will send the consecutive
>>sensitive headers
>> in clear text.
>>
>>
>>
>
>Sorry - you've lost me there. Basic-over-SSL means what it says. It is a
>HTTPS session over which Basic authentication occurs. It cannot be
>"sniffed" in exactly the same way HTTPS cannot be sniffed. There is no
>clear text.
>
>It is more secure (from a network sniffer perspective) than any other
>option - as there is even less information viewable.
>
>
Yes I agree with you, but maybe i havenīt explained me well,
With consecutive headers i mean the next HTTP requests that the client
will send after his secure authentication. "Only" the logon will be with
HTTPS,
the next HTTP requests for different resources will send the headers
in clear text as the HTTP does.
I think itīs very common that web services attempt to authenticate with
HTTPS login page
and the following navigation is in HTTP,
>> -NTLM isnīt a standard in HTTP authentication scheme, and is insecure
>>
>>
>
>I won't argue with that - but the big problem with NTLM (in my book) is
>that it isn't proxyable. That alone would make me use Basic-over-HTTPS
>any day
>
>
>
I agree with you too, NTLM isnīt proxyable, but proxy can authenticate
clientīs connection using NTLM.
Thanks for the response.
--
Emilio Casbas
--------------ms020504030601070802070105
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIINNTCC
A6swggMUoAMCAQICAQIwDQYJKoZIhvcNAQEEBQAwgY8xCzAJBgNVBAYTAkVTMRAwDgYDVQQI
EwdOYXZhcnJhMREwDwYDVQQHEwhQYW1wbG9uYTEfMB0GA1UEChMWVW5pdmVyc2lkYWQgZGUg
TmF2YXJyYTEMMAoGA1UECxMDQ1RJMRAwDgYDVQQDEwdVTkFWLUNBMRowGAYJKoZIhvcNAQkB
FgtjdGlAdW5hdi5lczAeFw0wMDEyMDcxODM0NTlaFw0xMDEyMDUxODM0NTlaMIGSMQswCQYD
VQQGEwJFUzEQMA4GA1UECBMHTmF2YXJyYTERMA8GA1UEBxMIUGFtcGxvbmExHzAdBgNVBAoT
FlVuaXZlcnNpZGFkIGRlIE5hdmFycmExDDAKBgNVBAsTA0NUSTETMBEGA1UEAxMKVU5BVi1D
QS0xMTEaMBgGCSqGSIb3DQEJARYLY3RpQHVuYXYuZXMwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBAMnPtNu0DY74Cy8ADkGWQ+P+o0tADrVZ4Lcp7XrTO/DBsviqY2K90SPnjTq4iaHq
nPR3NtP5NITlgeOriB6Qz0rP2cIyPbvj+omMNcjLNMKwjzN/Xlz/PQHtc7uB475qcRI2Upf0
efcCuZ+2c9Bh8whAR6yBPMZYBOf/CnTOGhiXAgMBAAGjggEQMIIBDDAdBgNVHQ4EFgQU5IiI
QsdSywUHw6MhYN5TwgPUKoIwgbwGA1UdIwSBtDCBsYAULcM6eDF7f4FPgfZNagFP7vaHJMqh
gZWkgZIwgY8xCzAJBgNVBAYTAkVTMRAwDgYDVQQIEwdOYXZhcnJhMREwDwYDVQQHEwhQYW1w
bG9uYTEfMB0GA1UEChMWVW5pdmVyc2lkYWQgZGUgTmF2YXJyYTEMMAoGA1UECxMDQ1RJMRAw
DgYDVQQDEwdVTkFWLUNBMRowGAYJKoZIhvcNAQkBFgtjdGlAdW5hdi5lc4IBADAMBgNVHRME
BTADAQH/MAsGA1UdDwQEAwIBBjARBglghkgBhvhCAQEEBAMCAQYwDQYJKoZIhvcNAQEEBQAD
gYEAX1CIwLZPpFS3JvoHEHZ5Ot5NnfQfQP7P8c0obKsenSVSD5ikiif1FTpZV71IhMBA+CIp
I5yGHD2lJhRmU8mxydPc4Duc8Vq5yw5TEtbgFamszQDaloFLKVqgsizZ6ljB0X2N/oGKOr70
BNaayTRZuGaqBRwL9rOtQAPuUVWvvOAwggS/MIIEKKADAgECAgIEqjANBgkqhkiG9w0BAQQF
ADCBkjELMAkGA1UEBhMCRVMxEDAOBgNVBAgTB05hdmFycmExETAPBgNVBAcTCFBhbXBsb25h
MR8wHQYDVQQKExZVbml2ZXJzaWRhZCBkZSBOYXZhcnJhMQwwCgYDVQQLEwNDVEkxEzARBgNV
BAMTClVOQVYtQ0EtMTExGjAYBgkqhkiG9w0BCQEWC2N0aUB1bmF2LmVzMB4XDTA0MTEwNTE1
MjU0MloXDTA2MTEwNTE1MjU0MlowgckxCzAJBgNVBAYTAkVTMRAwDgYDVQQIEwdOYXZhcnJh
MREwDwYDVQQHEwhQYW1wbG9uYTEfMB0GA1UEChMWVW5pdmVyc2lkYWQgZGUgTmF2YXJyYTEv
MC0GA1UECxMmQ2VudHJvIGRlIFRlY25vbG9naWEgSW5mb3JtYXRpY2EgLSBDVEkxIzAhBgNV
BAMTGkpvc2UgRW1pbGlvIENhc2JhcyBKaW1lbmV6MR4wHAYJKoZIhvcNAQkBFg9lY2FzYmFz
QHVuYXYuZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJaA+w6VJIE2IW8jVK
ey1kRO3uZ8n7CQ45aN0ZAmHoLcfq15MIg5LIiHcOwU3CKMbDM23ypVAnl2QYbCIwk/URetoi
TBIqd9jr5IiysYeO7yG/qtp39GN+GVVNU2cAyq59fBv4IGjWn7hBqKDjYJ3dgFgqS+1vlep2
afrH99pt0UfccpFEZoM1xYpEgANSDEzKgcPQ1eieqXL8NPWWoUfKOfVLXnwQdY+28arjypR9
BywaEpuf4+wG5DdsKtmLSTyREdQyc7jJHbOz341/5SFyxyqmEn3dyszqQ1QUmeHi6IeriDRD
9+y4pxQKMXLWwhSTbkeinW7pbrh6MWAGBu5zAgMBAAGjggFlMIIBYTAJBgNVHRMEAjAAMBEG
CWCGSAGG+EIBAQQEAwIFoDAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2Vy
dGlmaWNhdGUwHQYDVR0OBBYEFH24HB2bDmWF/SDfaiHt4fvS8JUuMIG8BgNVHSMEgbQwgbGA
FOSIiELHUssFB8OjIWDeU8ID1CqCoYGVpIGSMIGPMQswCQYDVQQGEwJFUzEQMA4GA1UECBMH
TmF2YXJyYTERMA8GA1UEBxMIUGFtcGxvbmExHzAdBgNVBAoTFlVuaXZlcnNpZGFkIGRlIE5h
dmFycmExDDAKBgNVBAsTA0NUSTEQMA4GA1UEAxMHVU5BVi1DQTEaMBgGCSqGSIb3DQEJARYL
Y3RpQHVuYXYuZXOCAQIwNQYDVR0fBC4wLDAqoCigJoYkaHR0cHM6Ly9nYW5kYWxmLmN0aS51
bmF2LmVzL3VuYXYuY3JsMA0GCSqGSIb3DQEBBAUAA4GBAGWqEk1nuKGCmWUToaza2R53IC1s
Un0/HrocuJh8Sg/KK1DuHDM7A6Lp4as1ZYOcQDXOiMjc4D/tYElK+3Svk2H5BkUlhQ+FpVKX
6UnJ8wbKHrFNrhzxfvy695TN/pb1Lnx06kzd/Rk8SVbIY3kTvT3lcdvrnshv2smgMl8wiaBB
MIIEvzCCBCigAwIBAgICBKowDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAkVTMRAwDgYD
VQQIEwdOYXZhcnJhMREwDwYDVQQHEwhQYW1wbG9uYTEfMB0GA1UEChMWVW5pdmVyc2lkYWQg
ZGUgTmF2YXJyYTEMMAoGA1UECxMDQ1RJMRMwEQYDVQQDEwpVTkFWLUNBLTExMRowGAYJKoZI
hvcNAQkBFgtjdGlAdW5hdi5lczAeFw0wNDExMDUxNTI1NDJaFw0wNjExMDUxNTI1NDJaMIHJ
MQswCQYDVQQGEwJFUzEQMA4GA1UECBMHTmF2YXJyYTERMA8GA1UEBxMIUGFtcGxvbmExHzAd
BgNVBAoTFlVuaXZlcnNpZGFkIGRlIE5hdmFycmExLzAtBgNVBAsTJkNlbnRybyBkZSBUZWNu
b2xvZ2lhIEluZm9ybWF0aWNhIC0gQ1RJMSMwIQYDVQQDExpKb3NlIEVtaWxpbyBDYXNiYXMg
SmltZW5lejEeMBwGCSqGSIb3DQEJARYPZWNhc2Jhc0B1bmF2LmVzMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAyWgPsOlSSBNiFvI1SnstZETt7mfJ+wkOOWjdGQJh6C3H6teT
CIOSyIh3DsFNwijGwzNt8qVQJ5dkGGwiMJP1EXraIkwSKnfY6+SIsrGHju8hv6rad/RjfhlV
TVNnAMqufXwb+CBo1p+4Qaig42Cd3YBYKkvtb5Xqdmn6x/fabdFH3HKRRGaDNcWKRIADUgxM
yoHD0NXonqly/DT1lqFHyjn1S158EHWPtvGq48qUfQcsGhKbn+PsBuQ3bCrZi0k8kRHUMnO4
yR2zs9+Nf+UhcscqphJ93crM6kNUFJnh4uiHq4g0Q/fsuKcUCjFy1sIUk25Hop1u6W64ejFg
BgbucwIDAQABo4IBZTCCAWEwCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwLAYJYIZI
AYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBR9uBwd
mw5lhf0g32oh7eH70vCVLjCBvAYDVR0jBIG0MIGxgBTkiIhCx1LLBQfDoyFg3lPCA9QqgqGB
laSBkjCBjzELMAkGA1UEBhMCRVMxEDAOBgNVBAgTB05hdmFycmExETAPBgNVBAcTCFBhbXBs
b25hMR8wHQYDVQQKExZVbml2ZXJzaWRhZCBkZSBOYXZhcnJhMQwwCgYDVQQLEwNDVEkxEDAO
BgNVBAMTB1VOQVYtQ0ExGjAYBgkqhkiG9w0BCQEWC2N0aUB1bmF2LmVzggECMDUGA1UdHwQu
MCwwKqAooCaGJGh0dHBzOi8vZ2FuZGFsZi5jdGkudW5hdi5lcy91bmF2LmNybDANBgkqhkiG
9w0BAQQFAAOBgQBlqhJNZ7ihgpllE6Gs2tkedyAtbFJ9Px66HLiYfEoPyitQ7hwzOwOi6eGr
NWWDnEA1zojI3OA/7WBJSvt0r5Nh+QZFJYUPhaVSl+lJyfMGyh6xTa4c8X78uveUzf6W9S58
dOpM3f0ZPElWyGN5E7095XHb657Ib9rJoDJfMImgQTGCA9IwggPOAgEBMIGZMIGSMQswCQYD
VQQGEwJFUzEQMA4GA1UECBMHTmF2YXJyYTERMA8GA1UEBxMIUGFtcGxvbmExHzAdBgNVBAoT
FlVuaXZlcnNpZGFkIGRlIE5hdmFycmExDDAKBgNVBAsTA0NUSTETMBEGA1UEAxMKVU5BVi1D
QS0xMTEaMBgGCSqGSIb3DQEJARYLY3RpQHVuYXYuZXMCAgSqMAkGBSsOAwIaBQCgggINMBgG
CSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA2MDEyNDExMTc0NFow
IwYJKoZIhvcNAQkEMRYEFAvaWtQ2j5anpiF08tQodwtinvTvMFIGCSqGSIb3DQEJDzFFMEMw
CgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0G
CCqGSIb3DQMCAgEoMIGqBgkrBgEEAYI3EAQxgZwwgZkwgZIxCzAJBgNVBAYTAkVTMRAwDgYD
VQQIEwdOYXZhcnJhMREwDwYDVQQHEwhQYW1wbG9uYTEfMB0GA1UEChMWVW5pdmVyc2lkYWQg
ZGUgTmF2YXJyYTEMMAoGA1UECxMDQ1RJMRMwEQYDVQQDEwpVTkFWLUNBLTExMRowGAYJKoZI
hvcNAQkBFgtjdGlAdW5hdi5lcwICBKowgawGCyqGSIb3DQEJEAILMYGcoIGZMIGSMQswCQYD
VQQGEwJFUzEQMA4GA1UECBMHTmF2YXJyYTERMA8GA1UEBxMIUGFtcGxvbmExHzAdBgNVBAoT
FlVuaXZlcnNpZGFkIGRlIE5hdmFycmExDDAKBgNVBAsTA0NUSTETMBEGA1UEAxMKVU5BVi1D
QS0xMTEaMBgGCSqGSIb3DQEJARYLY3RpQHVuYXYuZXMCAgSqMA0GCSqGSIb3DQEBAQUABIIB
AFF7aw7MTRFPF0Hu2r8HtnzetMaHvsMlVDMMqg9r9y7W3DXPyj3CKjOHkhrM+RSGwRG5Ky3x
ZbS/KGQ1U4phhTWg+4pbdYKJzqRRBylwnxQ65nz+x68PGLp9++RdgB2o8sVfHXfQRYu/Ra83
my1UCavJN10dlvV1KN2tlAQQwswIGNKyYBkzuDmEQi4rOHS0PyxK9XKkDVJMGzuCAZQoY9Sc
ixLqhzez+106KWWVIWdBh/ReKanSHwJBsDbQMovd9fHe150puIV2TEMG4Bj7M3eF/MRlnEWb
sOFxCyni718UQE8F0i4kyOYIsRZko/koCGeOX8caxmhvZ7WTnFHs51QAAAAAAAA=
--------------ms020504030601070802070105--
Brought to you by http://www.webappsec.org
Search this site
|