Re: basic auth request

2021-08-25 Thread Eli the Bearded
In comp.lang.python, Barry wrote: > It is possible to sign an ip address in a certificate, but that is not > often done. It's bad practice. I've never seen one in the wild. > Getting to reuse the IP address that example.com was using will not help > the attacker unless they can make a cert

Re: basic auth request

2021-08-25 Thread Barry
> On 25 Aug 2021, at 20:34, Eli the Bearded <*@eli.users.panix.com> wrote: > > In comp.lang.python, Jon Ribbens wrote: >> Another attempt at combatting this problem is DNS CAA records, >> which are a way of politely asking all CAs in the world except the >> ones you choose "please don't

Re: basic auth request

2021-08-25 Thread Eli the Bearded
In comp.lang.python, Jon Ribbens wrote: > On 2021-08-25, Eli the Bearded <*@eli.users.panix.com> wrote: >> $COMPANY puts out a lot of things on different IP addresses from >> a shared public(ish) pool like AWS and assigns different names >> to them. Later $COMPANY discontinues one or more of

Re: basic auth request

2021-08-25 Thread Jon Ribbens via Python-list
On 2021-08-25, Eli the Bearded <*@eli.users.panix.com> wrote: > In comp.lang.python, Jon Ribbens wrote: >> Another attempt at combatting this problem is DNS CAA records, >> which are a way of politely asking all CAs in the world except the >> ones you choose "please don't issue a certificate for

Re: basic auth request

2021-08-25 Thread Eli the Bearded
In comp.lang.python, Jon Ribbens wrote: > Another attempt at combatting this problem is DNS CAA records, > which are a way of politely asking all CAs in the world except the > ones you choose "please don't issue a certificate for my domain". > By definition someone who had hacked a CA would pay

Re: basic auth request

2021-08-25 Thread Peter J. Holzer
On 2021-08-22 19:37:24 +1000, Chris Angelico wrote: > On Sun, Aug 22, 2021 at 6:45 PM Peter J. Holzer wrote: > > > > On 2021-08-22 05:04:43 +1000, Chris Angelico wrote: > > > On Sun, Aug 22, 2021 at 4:55 AM Martin Di Paola > > > wrote: > > > > HTTPS ensures encryption so the content, including

Re: basic auth request

2021-08-25 Thread Jon Ribbens via Python-list
On 2021-08-25, Chris Angelico wrote: > On Thu, Aug 26, 2021 at 12:48 AM Jon Ribbens via Python-list > wrote: >> Another attempt at combatting this problem is DNS CAA records, >> which are a way of politely asking all CAs in the world except the >> ones you choose "please don't issue a certificate

Re: basic auth request

2021-08-25 Thread Chris Angelico
On Thu, Aug 26, 2021 at 12:48 AM Jon Ribbens via Python-list wrote: > > On 2021-08-25, Chris Angelico wrote: > > On Thu, Aug 26, 2021 at 12:16 AM Jon Ribbens via Python-list > > wrote: > >> There are so many trusted CAs these days that the chances of them all > >> being secure approaches zero -

Re: basic auth request

2021-08-25 Thread Jon Ribbens via Python-list
On 2021-08-25, Chris Angelico wrote: > On Thu, Aug 26, 2021 at 12:16 AM Jon Ribbens via Python-list > wrote: >> There are so many trusted CAs these days that the chances of them all >> being secure approaches zero - they are not all equal yet they are all >> equally trusted. Which is why a change

Re: basic auth request

2021-08-25 Thread Chris Angelico
On Thu, Aug 26, 2021 at 12:16 AM Jon Ribbens via Python-list wrote: > > On 2021-08-25, Chris Angelico wrote: > > On Wed, Aug 25, 2021 at 5:20 PM Barry Scott wrote: > >> Only if this threat model matters to you or your organisation. > >> Personal its low down of the threats I watch out for. > >>

Re: basic auth request

2021-08-25 Thread Barry Scott
> On 22 Aug 2021, at 12:03, Chris Angelico wrote: > > On Sun, Aug 22, 2021 at 8:30 PM Barry Scott > wrote: >> >> >> >> On 22 Aug 2021, at 10:37, Chris Angelico wrote: >> >> When it comes to security, one thing I'm very curious about is why we >> don't have

Re: basic auth request

2021-08-25 Thread Jon Ribbens via Python-list
On 2021-08-25, Chris Angelico wrote: > On Wed, Aug 25, 2021 at 5:20 PM Barry Scott wrote: >> Only if this threat model matters to you or your organisation. >> Personal its low down of the threats I watch out for. >> >> The on-line world and the real-world are the same here. >> >> If a business

Re: basic auth request

2021-08-25 Thread Chris Angelico
On Wed, Aug 25, 2021 at 5:20 PM Barry Scott wrote: > > Only if this threat model matters to you or your organisation. > Personal its low down of the threats I watch out for. > > The on-line world and the real-world are the same here. > > If a business changes hands then do you trust the new

Re: basic auth request

2021-08-22 Thread Chris Angelico
On Sun, Aug 22, 2021 at 8:30 PM Barry Scott wrote: > > > > On 22 Aug 2021, at 10:37, Chris Angelico wrote: > > When it comes to security, one thing I'm very curious about is why we > don't have any sort of certificate renewal verification. My browser > could retain the certificates of some web

Re: basic auth request

2021-08-22 Thread Barry Scott
> On 22 Aug 2021, at 10:37, Chris Angelico wrote: > > When it comes to security, one thing I'm very curious about is why we > don't have any sort of certificate renewal verification. My browser > could retain the certificates of some web site (or of all web sites, > even - they're not THAT

Re: basic auth request

2021-08-22 Thread Chris Angelico
On Sun, Aug 22, 2021 at 6:45 PM Peter J. Holzer wrote: > > On 2021-08-22 05:04:43 +1000, Chris Angelico wrote: > > On Sun, Aug 22, 2021 at 4:55 AM Martin Di Paola > > wrote: > > > HTTPS ensures encryption so the content, including the Basic Auth > > > username and password, is secret for any

Re: basic auth request

2021-08-22 Thread Peter J. Holzer
On 2021-08-22 05:04:43 +1000, Chris Angelico wrote: > On Sun, Aug 22, 2021 at 4:55 AM Martin Di Paola > wrote: > > > > While it is correct to say that Basic Auth without HTTPS is absolutely > > insecure, using Basic Auth *and* HTTPS is not secure either. > > > > Well, the definition of "secure"

Re: basic auth request

2021-08-21 Thread Chris Angelico
On Sun, Aug 22, 2021 at 4:55 AM Martin Di Paola wrote: > > While it is correct to say that Basic Auth without HTTPS is absolutely > insecure, using Basic Auth *and* HTTPS is not secure either. > > Well, the definition of "secure" depends of your threat model. Yes. Which makes statements like

Re: basic auth request

2021-08-21 Thread Martin Di Paola
While it is correct to say that Basic Auth without HTTPS is absolutely insecure, using Basic Auth *and* HTTPS is not secure either. Well, the definition of "secure" depends of your threat model. HTTPS ensures encryption so the content, including the Basic Auth username and password, is secret

Re: basic auth request

2021-08-18 Thread Jon Ribbens via Python-list
On 2021-08-18, Robin Becker wrote: > On 17/08/2021 22:47, Jon Ribbens via Python-list wrote: > ... >> That's only true if you're not using HTTPS - and you should *never* >> not be using HTTPS, and that goes double if forms are being filled >> in and double again if passwords are being

Re: basic auth request

2021-08-18 Thread Robin Becker
On 17/08/2021 22:47, Jon Ribbens via Python-list wrote: ... That's only true if you're not using HTTPS - and you should *never* not be using HTTPS, and that goes double if forms are being filled in and double again if passwords are being supplied. I think I agree with most of the replies;

Re: basic auth request

2021-08-17 Thread Jon Ribbens via Python-list
On 2021-08-17, Barry wrote: >> That's usually irrelevant, since the alternative is most likely to be >> form fill-out, which is exactly as secure. If you're serving over >> HTTPS, the page is encrypted, and that includes the headers; if you're >> not, then it's not encrypted, and that includes

Re: basic auth request

2021-08-17 Thread Chris Angelico
On Wed, Aug 18, 2021 at 7:15 AM Barry wrote: > > > > > On 17 Aug 2021, at 19:25, Chris Angelico wrote: > > > > On Wed, Aug 18, 2021 at 4:16 AM Barry Scott wrote: > >> Oh and if you have the freedom avoid Basic Auth as its not secure at all. > >> > > > > That's usually irrelevant, since the

Re: basic auth request

2021-08-17 Thread Barry
> On 17 Aug 2021, at 19:25, Chris Angelico wrote: > > On Wed, Aug 18, 2021 at 4:16 AM Barry Scott wrote: >> Oh and if you have the freedom avoid Basic Auth as its not secure at all. >> > > That's usually irrelevant, since the alternative is most likely to be > form fill-out, which is

Re: basic auth request

2021-08-17 Thread Chris Angelico
On Wed, Aug 18, 2021 at 4:16 AM Barry Scott wrote: > Oh and if you have the freedom avoid Basic Auth as its not secure at all. > That's usually irrelevant, since the alternative is most likely to be form fill-out, which is exactly as secure. If you're serving over HTTPS, the page is encrypted,

Re: basic auth request

2021-08-17 Thread Barry Scott
On Tuesday, 17 August 2021 10:20:37 BST Robin Becker wrote: > While porting an ap from python2.7 to python3 I see this > > base64string = base64.b64encode('%s:%s' % (wsemail, wspassword)) > request.add_header("Authorization", "Basic %s" % base64string) > > in python3.x I find this

Re: basic auth request

2021-08-17 Thread Chris Angelico
On Wed, Aug 18, 2021 at 3:04 AM Robin Becker wrote: > > While porting an ap from python2.7 to python3 I see this > > base64string = base64.b64encode('%s:%s' % (wsemail, wspassword)) > request.add_header("Authorization", "Basic %s" % base64string) > > in python3.x I find this works

basic auth request

2021-08-17 Thread Robin Becker
While porting an ap from python2.7 to python3 I see this base64string = base64.b64encode('%s:%s' % (wsemail, wspassword)) request.add_header("Authorization", "Basic %s" % base64string) in python3.x I find this works base64string = base64.b64encode(('%s:%s' % (wsemail,