Well, yes... you're right !
** Never say impossible **
On Sat, 2002-04-27 at 02:27, martin f krafft wrote:
also sprach eim [EMAIL PROTECTED] [2002.04.26.1757 +0200]:
With https data will be encripted and it's impossible to
find out login and password because they're not sent over
the
Well, yes... you're right !
** Never say impossible **
On Sat, 2002-04-27 at 02:27, martin f krafft wrote:
also sprach eim [EMAIL PROTECTED] [2002.04.26.1757 +0200]:
With https data will be encripted and it's impossible to
find out login and password because they're not sent over
the net
On Sat, Apr 27, 2002 at 03:32:45AM +0200, martin f krafft wrote:
also sprach Dan Faerch [EMAIL PROTECTED] [2002.04.26.1955 +0200]:
Second more, if your users are allowed to have pages on the same
address as the login system, the browser can, without much effort,
be tricked into giving away
Steve Mickeler wrote:
Trust not in switches.
They too can be easily manipulated unless you have locked them down at a
mac address and port level.
'apt-get install dsniff' ; 'man arpspoof'
Of course, which is one of the things I had in mind when I said:
topology. Switches tend not to
Gareth Bowker wrote:
If someone's already logged in, and they visit a webpage on the same domain
which asks for a username and password for the same realm as the one used
to
log in, the browser will send the username/password pair without asking the
user for any confirmation.
At least I assume
also sprach Dan Faerch [EMAIL PROTECTED] [2002.04.27.2120 +0200]:
you know their algorithm against MAC table overflow?
No i dont.. I would be very interrested in reading about it, if you know of
a link.. Im sure that it would be possible to enforce some level of
security..
it's quite
On Sat, Apr 27, 2002 at 03:32:45AM +0200, martin f krafft wrote:
also sprach Dan Faerch [EMAIL PROTECTED] [2002.04.26.1955 +0200]:
Second more, if your users are allowed to have pages on the same
address as the login system, the browser can, without much effort,
be tricked into giving away
Steve Mickeler wrote:
Trust not in switches.
They too can be easily manipulated unless you have locked them down at a
mac address and port level.
'apt-get install dsniff' ; 'man arpspoof'
Of course, which is one of the things I had in mind when I said:
topology. Switches tend not to
Gareth Bowker wrote:
If someone's already logged in, and they visit a webpage on the same domain
which asks for a username and password for the same realm as the one used
to
log in, the browser will send the username/password pair without asking the
user for any confirmation.
At least I assume
also sprach Dan Faerch [EMAIL PROTECTED] [2002.04.27.2120 +0200]:
you know their algorithm against MAC table overflow?
No i dont.. I would be very interrested in reading about it, if you know of
a link.. Im sure that it would be possible to enforce some level of
security..
it's quite simple.
Hallo Brane,
I'm actually a K-13 student, and so in my 'strategic'
position I'm on both sides, admin of debian box and 3v1l cracker :)
No, well.. I was just kidding, I have really better things to
do than actually cracking Debian boxes in pubblic environments,
but anyway I what do you think
already said)
- Dan Faerch
A/S ScanNet
(Denmark)
- Original Message -
From: eim [EMAIL PROTECTED]
To: Schusselig Brane [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Friday, April 26, 2002 5:57 PM
Subject: Re: A more secure form of .htaccess?
Hallo Brane,
I'm actually a K-13
also sprach eim [EMAIL PROTECTED] [2002.04.26.1757 +0200]:
With https data will be encripted and it's impossible to
find out login and password because they're not sent over
the net in a clear way.
never say impossible.
--
martin; (greetings from the heart of the sun.)
\
also sprach Dan Faerch [EMAIL PROTECTED] [2002.04.26.1955 +0200]:
Second more, if your users are allowed to have pages on the same
address as the login system, the browser can, without much effort,
be tricked into giving away your systems username and password to
a personal user page...
how?
Trust not in switches.
They too can be easily manipulated unless you have locked them down at a
mac address and port level.
'apt-get install dsniff' ; 'man arpspoof'
Another option would be to run switches instead of normal hub or bus
topology. Switches tend not to allow other nodes on a
Hallo Brane,
I'm actually a K-13 student, and so in my 'strategic'
position I'm on both sides, admin of debian box and 3v1l cracker :)
No, well.. I was just kidding, I have really better things to
do than actually cracking Debian boxes in pubblic environments,
but anyway I what do you think
already said)
- Dan Faerch
A/S ScanNet
(Denmark)
- Original Message -
From: eim [EMAIL PROTECTED]
To: Schusselig Brane [EMAIL PROTECTED]
Cc: debian-security@lists.debian.org
Sent: Friday, April 26, 2002 5:57 PM
Subject: Re: A more secure form of .htaccess?
Hallo Brane,
I'm actually
On Fri, Apr 26, 2002 at 07:55:06PM +0200, Dan Faerch wrote:
You should be aware, that when you use normal .htaccess protection,
browser never logout..With eg. Internet Explorer, all intances of IE
have to be closed to make the browser forget the login..
Actually, I think instances of IE that
also sprach eim [EMAIL PROTECTED] [2002.04.26.1757 +0200]:
With https data will be encripted and it's impossible to
find out login and password because they're not sent over
the net in a clear way.
never say impossible.
--
martin; (greetings from the heart of the sun.)
\
also sprach Dan Faerch [EMAIL PROTECTED] [2002.04.26.1955 +0200]:
Second more, if your users are allowed to have pages on the same
address as the login system, the browser can, without much effort,
be tricked into giving away your systems username and password to
a personal user page...
how?
Tom Dominico wrote:
Hello all,
I have written some php-based internal systems for our users. Users are
required to authenticate to access this system, and their login
determines what they are allowed to do within the system. I am
concerned that their logging in with cleartext passwords
Trust not in switches.
They too can be easily manipulated unless you have locked them down at a
mac address and port level.
'apt-get install dsniff' ; 'man arpspoof'
Another option would be to run switches instead of normal hub or bus
topology. Switches tend not to allow other nodes on a
Hello all,
I have written some php-based internal systems for our users. Users are
required to authenticate to access this system, and their login
determines what they are allowed to do within the system. I am
concerned that their logging in with cleartext passwords is a security
risk. I work
You might want to take a look at using digest authentication, which sends a MD5 digest
of the pasword instead of the actual password.
http://httpd.apache.org/docs/howto/auth.html
I have written some php-based internal systems for our users. Users are
required to authenticate to access this
Hello all,
I have written some php-based internal systems for our users. Users are
required to authenticate to access this system, and their login
determines what they are allowed to do within the system. I am
concerned that their logging in with cleartext passwords is a security
risk. I work
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I am wondering if any of you have had similar problems. What is a more
secure way for people to login? Is SSL an option, and if so, how do I
go about using it? Do I have to purchase a certificate? Or is there
some other option? Finally,
26 matches
Mail list logo