Re: [Very OT] IIS Basic Authentication can be used for phishing

To: Debian Users List <debian-user@lists.debian.org>
Subject: Re: [Very OT] IIS Basic Authentication can be used for phishing
From: Upayavira <uv@upaya.co.uk>
Date: Wed, 10 Nov 2004 07:13:56 +0000
Message-id: <[🔎] 4191BFB4.2020601@upaya.co.uk>
In-reply-to: <[🔎] 20041110064836.GA15866@alltel.net>
References: <[🔎] 20041110064836.GA15866@alltel.net>

William Ballard wrote:

Just learned IIS Basic authentication transmits
a users user name and password in Base64 over the internet.

MS recommends you use SSL with it.

But, even if you do that, can't you use an ISAPI
to silently phish somebody's password?  Or even if the dialog
comes up, Granma and Granpa will hit okay.

Hm.  Sorry, I know it's very OT, but I don't want to subscribe
to a security list just to make this one observation.

Any thoughts?

How is this different from Apache's basic authentication, which Ibelieve also passes user/pass information as plain text?


You should use SSL with Apache too.

Regards, Upayavira

Reply to:

Follow-Ups:
- Re: [Very OT] IIS Basic Authentication can be used for phishing
  - From: William Ballard <nospam_40811@alltel.net>
- Re: [Very OT] IIS Basic Authentication can be used for phishing
  - From: David Dorward <dorward@gmail.com>

References:
- [Very OT] IIS Basic Authentication can be used for phishing
  - From: William Ballard <nospam_40811@alltel.net>

Prev by Date: Lilo boot from second drive - success
Next by Date: Re: Out of room on /usr partition
Previous by thread: [Very OT] IIS Basic Authentication can be used for phishing
Next by thread: Re: [Very OT] IIS Basic Authentication can be used for phishing
Index(es):
- Date
- Thread