[thelist] how secure is htauth

Seb Barre sebastien at oven.com
Mon Oct 23 10:27:25 CDT 2000

At 04:59 PM 10/23/2000 +0200, you wrote:
>Hi everybody,
>I want to keep my admin scripts in a secure directory on my server.
>Therefore, I set up the "AuthType Basic" in my httpd.conf.
>Now I wonder: how secure is this?
>Sure, I know the saying "If you don't want anybody to see it, don't put
>it online." But these are my admin scripts that need to be run from a
>browser and I don't care *that* much if you can hack it - at least if it
>takes longer than 10 min. ;)
>I'm not the Pentagon.
>I'm jsut curious if there are known bugs in Apache/1.3.12 (on a ReHat
>box) or knows hacks that would make it too easy.

Anyone sniffing your packets can pick up your login and activity.  You 
should look into the Digest AuthType, which uses MD5 crypted hash messages 
if I remember correctly.  The only thing to check is that your browser of 
choice supports Digest authentication..  Check the Apache docs for more 

Also, you may want to consider putting those scripts on an https connection 
instead, since otherwise your traffic runs over the net in the clear, even 
after you authenticate.  So if you're updating or loading any kind of 
sensitive info (like credit cards or company banking/finance info), there 
is nothing stopping someone from sniffing your traffic after you've logged 
in and started working.  Crackers aside, you'd be surprised how many bored 
ISP technicians sniff packets while they're monitoring the network.

If you can deal with having to click through an invalid certificate each 
time you start it up, you can just sign your own server certificate when 
you build apache+mod_ssl, as opposed to having to buy a CRT (ie: get 
ripped) from a trusted vendor, mostly if it's not a public server.  It's 
really not that difficult to do and it's worthwhile in my mind, mostly for 
admin stuff..   If you have the luxury of being able to rebuild the Apache 
install that is..

--- -- -
Seb Barre - sebastien at oven.com
OVEN Digital Toronto
Work: 416-595-9750 x 222
Mobile: 416-254-5078

More information about the thelist mailing list