Does anyone else feel that using HTTP BASIC AUTH for a firewall is a
bad idea even if it is SSL'd. All basic auth does is creates a hash
string for username:password using base64. That can easily be reversed
and the real username and password extracted. Sure it's SSL but can't a
crafty attacker just create a proxy of sorts on a compromised network
and intercept the communications? Am I missing something here?
If it's Basic via SSL, then it's fine. Nobody will be able to intercept it.
It is possible to setup a MITM attack using SSL, but you've got to use a
forged certificate and the browser will alert as to such. The problem
there lies in the fact that most users will blindly click "ok" to such a
dialouge.
You said this is a firewall box. Most "appliances" I've seen use
self-signed SSL certs which don't validate anyway -- so you're ALREADY
used to clicking "ok" on the warning. Therein lies the danger I suppose.
Cheers,
Michael Holstein CISSP GCIA
Cleveland State University
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
