Re: A more secure form of .htaccess?

To: <debian-security@lists.debian.org>
Subject: Re: A more secure form of .htaccess?
From: "Dan Faerch" <dan@fake.dk>
Date: Fri, 26 Apr 2002 19:55:06 +0200
Message-id: <[🔎] 005101c1ed4b$8070a2c0$0201a8c0@phantom>
References: <[🔎] A539E2F50FF6D3119B7400E018C2FBE909082E@endeavor.parlier.k12.ca.us> <[🔎] 3CC8C4CF.7CE1FB1B@yahoo.de> <[🔎] 20020426175754.A3632@eimbox.org>

Htaccess:
-----------
You should be aware, that when you use normal .htaccess protection, browser
never logout..With eg. Internet Explorer, all intances of IE have to be
closed to make the browser forget the login..

There are several tricks to make the browser forget the login, but none
really secure.. One is to make a logout link that links to eg.
https://logout:logout@www.yourhost.com/logout

In the "logout" folder you make a new htaccess file that uses another
htpassword file which contains a user called logout with a password called
logout, but keeping the same REALM.. (the realm is importent)..

This rewrite's the browser credentials for your realm with username and
password "logout".. (Make sure users in /logout have no vital access
offcourse)

The hard part is to get ppl to use the logout link and not just closing the
instance of the browser..

Second more, if your users are allowed to have pages on the same address as
the login system, the browser can, without much effort, be tricked into
giving away your systems username and password to a personal user page...


Switches:
------------
The subject on switches.. It is a general misunderstanding that switches
provide security.. There are several easy tricks to make a switch spill its
guts.. They were designed for performance and no one ever promised security
:)


SSL:
-------

No you do not need to purchase a certificate.. Simply generate your own..

Yet, in an enviroment where users share the same pc, security is hard to
achive (i am assuming that youre runnig a windows enviroment), since varios
keyloggers can be installed on the clients, you have access to the cache and
the cookies. On this i have no wonderous advise :)..


(i didnt follow the thread, only the content of this mail, so i hope im not
repeating anything already said)

- Dan Faerch
A/S ScanNet
(Denmark)




----- Original Message -----
From: "eim" <eim@eimbox.org>
To: "Schusselig Brane" <willwesleyccna@yahoo.de>
Cc: <debian-security@lists.debian.org>
Sent: Friday, April 26, 2002 5:57 PM
Subject: Re: A more secure form of .htaccess?


> Hallo Brane,
>
> I'm actually a K-13 student, and so in my 'strategic'
> position I'm on both sides, admin of debian box and 3v1l cracker :)
>
> No, well.. I was just kidding, I have really better things to
> do than actually cracking Debian boxes in pubblic environments,
> but anyway I what do you think about using https for .htaccess
> authentication ?
>
> With https data will be encripted and it's impossible to
> find out login and password because they're not sent over
> the net in a clear way.
>
> Consider using https.
>
> Good work and protect your boxes !
>
>  - Ivo
>
> On Thu, Apr 25, 2002 at 09:09:03PM -0600, Schusselig Brane wrote:
> > Tom Dominico wrote:
> > >
> > > Hello all,
> > >
> > > I have written some php-based internal systems for our users.  Users
are
> > > required to authenticate to access this system, and their login
> > > determines what they are allowed to do within the system.  I am
> > > concerned that their logging in with cleartext passwords is a security
> > > risk.  I work in a K-12 school enviroment, and many of these students
> > > are rather devious and resourceful (as I was at that age :) ).  My
fear
> > > is some bright student setting a sniffer up on my network and gleaning
> > > passwords from it.
> > >
> > > I am wondering if any of you have had similar problems.  What is a
more
> > > secure way for people to login?  Is SSL an option, and if so, how do I
> > > go about using it?  Do I have to purchase a certificate?  Or is there
> > > some other option?  Finally, should I be using .htaccess at all, or is
> > > there a better way?  Thank you in advance for your advice.
> >
> > Another option would be to run switches instead of normal hub or bus
> > topology. Switches tend not to allow other nodes on a network to see
> > data that is passing over it. However, it will more than likely prove to
> > be a PITA to convince budget makers to allow the expense of the new
> > equipment.
> >
> > Useless input, I know. But, I didn't see anyone else mention this. As a
> > side note, if your installation is new enough, switches may already be
> > in place, and you don't have much to worry about as far as stuff getting
> > sniffed off the network. That is, of course, if the network was designed
> > with that in mind.
> >
> > -Will Wesley, CCNA
> > To make tax forms true they should read "Income Owed Us" and "Incommode
> > You".
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
> >
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
>


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: A more secure form of .htaccess?
  - From: Mike Renfro <renfro@tntech.edu>
- Re: A more secure form of .htaccess?
  - From: martin f krafft <madduck@madduck.net>

References:
- A more secure form of .htaccess?
  - From: "Tom Dominico" <tdominico@parlier.k12.ca.us>
- Re: A more secure form of .htaccess?
  - From: Schusselig Brane <willwesleyccna@yahoo.de>
- Re: A more secure form of .htaccess?
  - From: eim <eim@eimbox.org>

Prev by Date: Re: A more secure form of .htaccess?
Next by Date: Re: RSA not an easy crack
Previous by thread: Re: A more secure form of .htaccess?
Next by thread: Re: A more secure form of .htaccess?
Index(es):
- Date
- Thread