[thelist] how secure is htauth
Seb Barre
sebastien at oven.com
Mon Oct 23 10:27:25 CDT 2000
At 04:59 PM 10/23/2000 +0200, you wrote:
>Hi everybody,
>I want to keep my admin scripts in a secure directory on my server.
>Therefore, I set up the "AuthType Basic" in my httpd.conf.
>Now I wonder: how secure is this?
>
>Sure, I know the saying "If you don't want anybody to see it, don't put
>it online." But these are my admin scripts that need to be run from a
>browser and I don't care *that* much if you can hack it - at least if it
>takes longer than 10 min. ;)
>I'm not the Pentagon.
>
>I'm jsut curious if there are known bugs in Apache/1.3.12 (on a ReHat
>box) or knows hacks that would make it too easy.
Anyone sniffing your packets can pick up your login and activity. You
should look into the Digest AuthType, which uses MD5 crypted hash messages
if I remember correctly. The only thing to check is that your browser of
choice supports Digest authentication.. Check the Apache docs for more
info...
Also, you may want to consider putting those scripts on an https connection
instead, since otherwise your traffic runs over the net in the clear, even
after you authenticate. So if you're updating or loading any kind of
sensitive info (like credit cards or company banking/finance info), there
is nothing stopping someone from sniffing your traffic after you've logged
in and started working. Crackers aside, you'd be surprised how many bored
ISP technicians sniff packets while they're monitoring the network.
If you can deal with having to click through an invalid certificate each
time you start it up, you can just sign your own server certificate when
you build apache+mod_ssl, as opposed to having to buy a CRT (ie: get
ripped) from a trusted vendor, mostly if it's not a public server. It's
really not that difficult to do and it's worthwhile in my mind, mostly for
admin stuff.. If you have the luxury of being able to rebuild the Apache
install that is..
--- -- -
Seb Barre - sebastien at oven.com
OVEN Digital Toronto
Work: 416-595-9750 x 222
Mobile: 416-254-5078
http://www.oven.com/
More information about the thelist
mailing list