Without SSL forget about the authentication part. I can do man in the middle attacks (provided I can get in the middle), replay attacks and hell I can just watch what you do and get all of the information I need. Do I need special tools? Perhaps, but not if I'm using Linux, tcpdump should do the trick.
It depends, do you want some degree of security or just "look secure". A big problem with Basic is that you have NO control over the scope of the session. You have *no* idea how long the browser will cache the authentication tokens. Besides the lameness of a spec that defines login but not logout. . I mean its just silly. -Andy > From: Henri Yandell <[EMAIL PROTECTED]> > Reply-To: "Research Triangle Java User's Group mailing > list."<[EMAIL PROTECTED]> > Date: Sun, 11 Apr 2004 12:42:23 -0400 (EDT) > To: "Research Triangle Java User's Group mailing list." <[EMAIL PROTECTED]> > Subject: Re: [Juglist] Re: HTTP authentication -- was too few warnings among > us about bad code > > > Apart from being able to integrate the login into the page, what then is > the advantage of Form Auth over Basic? > > Both are basically crap without SSL. The only advantage I can think of for > Form Auth are that the login process can be over SSL, but then it can move > out of SSL and rely on Session memory. Which as the session id is in > either a cookie or the url's would be insecure, though only insecure in a > session's lifetime. > > Useful for big sites where everything in SSL might be a cpu issue, but > generally it could all just stay in SSL, so why not just use Basic? > > Just wondering. I find that the choice is often driven by how the business > people want it to look. > > Hen > > On Sat, 10 Apr 2004, Andrew Oliver wrote: > >> Form Authentication with SSL works acceptably. Actually password anything >> isn't really that secure. However Form/SSL is acceptable for most apps. >> You can't have anything more than mimic security without encryption. The >> session is keyed to a token. If its not encrypted, I can intercept it and >> probably change your password or at least have fun for a session. >> >> >> -andy >> >>> From: "Richard O. Hammer" <[EMAIL PROTECTED]> >>> Reply-To: "Research Triangle Java User's Group mailing >>> list."<[EMAIL PROTECTED]> >>> Date: Sat, 10 Apr 2004 12:50:14 -0400 >>> To: "Research Triangle Java User's Group mailing list."<[EMAIL PROTECTED]> >>> Subject: [Juglist] Re: HTTP authentication -- was too few warnings among us >>> about bad code >>> >>> Hugh Allen wrote: >>>> * HTTP basic authentication >>>> * Form-based authentication >>>> * Client-certificate authentication >>> >>> I had lumped HTTP Basic authentication together with FORM >>> authentication, and meant both of them when I wrote about "HTTP >>> authentication" in my last post. I was thinking that form based >>> authentication was a kind of HTTP authentication, but I may be >>> mistaken about that. Anyhow, form-based authentication is what I have >>> recently found to have enough gotchas to drive me to look for better, >>> maybe to write my own. >>> >>> >>>> It appears that Form-based authentication, when combined with SSL, is >>>> flexible and does not expose passwords or messages in plain text. >>> >>> I agree. It APPEARS decent. But how often is it actually used in >>> serious work? >>> >>>> ... This >>>> is what I plan to use for my production environment, but I haven't >>>> gotten the SSL cert yet. >>> >>> Based upon my limited experience, I warn you against form based >>> authentication. The SSL part has worked without difficulty for me, >>> however. >>> >>> Thank you for the links. >>> >>> Rich Hammer >>> >>> >>> >>> _______________________________________________ >>> Juglist mailing list >>> [EMAIL PROTECTED] >>> http://trijug.org/mailman/listinfo/juglist_trijug.org >> >> >> _______________________________________________ >> Juglist mailing list >> [EMAIL PROTECTED] >> http://trijug.org/mailman/listinfo/juglist_trijug.org >> > > > _______________________________________________ > Juglist mailing list > [EMAIL PROTECTED] > http://trijug.org/mailman/listinfo/juglist_trijug.org _______________________________________________ Juglist mailing list [EMAIL PROTECTED] http://trijug.org/mailman/listinfo/juglist_trijug.org
