RE: [BugDB] Basic Auth unsafe even over SSL (PR#372)

Tue, 18 Apr 2000 10:34:01 -0700 

Since SSL is invoked before the HTTP request can be decrypted, the 401
response should NOT be returned to the browser.  Therefore it would appear
that your configuration is flawed, allowing HTTP access to the virtual host
or directory with authentication enabled.

> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of
> [EMAIL PROTECTED]
> Sent: Tuesday, April 18, 2000 8:33 AM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: [BugDB] Basic Auth unsafe even over SSL (PR#372)
>
>
> Full_Name: Piet Ruyssinck
> Version: 2.6.3-1.3.12
> OS: Solaris
> Submission from: (NULL) (157.193.44.18)
>
>
> I have an apache 1.3.12 webserver running over SSL (via mod_ssl).  SSL,
> of course, because I'm doing Basic Authentication and I dont want my
> users' passwords to be eavesdropped upon.
>
> Let the URL to some protected page be
> https://myhost.my.domain/topsecret/index.html
>
> The security issue/hole here is that when you would direct your browser
> to http://myhost.my.domain:433/topsecret/index.html you will be asked
> for your credentials, which are then transmitted unencrypted (i.e. not
> over SSL).  At this point, the apache httpd will return some protocol
> mismatch error message, but this is AFTER you have sent you cleartext
> credentials.
>
> Why would I go to this wrong URL ? I wouldn't of course.  But someone
> else (someone with the means to eavesdrop on the communication) might
> try to lure people into using this wrong URL by setting up a web page
> containing such a phony link to my site.
>
> If I understand correctly what the software is doing, the
> server answers the regular http request with a regular http reply
> containing a 401 error.  The browser sends the basic authentication
> credentials in a second http request, again to port 443.  At that
> point the server delivers a protocol-mismatch error.
>
> If that's what's happening, then it seems to me that it's clearly a
> bug in the server, which should have delivered the protocol-mismatch
> error on the first request, instead of demanding credentials.
>
>
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
> User Support Mailing List                      [EMAIL PROTECTED]
> Automated List Manager                            [EMAIL PROTECTED]
>

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to