Re: [Full-disclosure] HTTP AUTH BASIC monowall.

[Matthijs van Otterdijk]

Well isn't the whole idea of SSH that the connection is encrypted? so it doesn't matter trough how many compromised networks it goes, since it gets encrypted at the sending computer and decrypted at the receiving one.

On 3/13/06, Simon Smith <[EMAIL PROTECTED]> wrote:

List,
    Does anyone else feel that using HTTP BASIC AUTH for a firewall is a
bad idea even if it is SSL'd. All basic auth does is creates a hash
string for username:password using base64. That can easily be reversed
and the real username and password extracted. Sure it's SSL but can't a
crafty attacker just create a proxy of sorts on a compromised network
and intercept the communications? Am I missing something here?

--


Regards,
        Simon


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/