Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Ogle Ron (Rennes) (ron.ogle_at_thomson.net)
Date: Mon Aug 26 2002 - 06:59:44 CDT
Basic Authentication is a bit more secure than session authentication
especially when used in combination with SSL/TLS, but certificate
authentication is at least a magnitude stronger if not more than either one
of the other authentication mechanisms.
The security difference between basic authentication and session
authentication is not in the credentials but in the web server itself.
Basic authentication doesn't require access into the web server's pages
where session authentication does. If the web server is vulnerable to a
hack, then an attack may be able to be carried out from the session
authentication page before credentials are validated. This would not be
possible with basic authentication.
Another weakness in session authentication is that the "developer" of the
session authentication web page and back end must have developed this
correctly to prevent buffer overflows and such. I would also put more
"trust" into the quality of the basic authentication than session
authentication because basic authentication is done by the web server and
not just any site developer. My belief is that the web server code would
have been infinitely more reviewed and tested than the site developer's
session authentication code.
Of course, both modes of authentication are still vulnerable to brute force
attacks. Of course, a one-time password would help out both situations.
For certificate authentication, authentication takes place before the
SSL/TLS session is completed. Therefore, you can't even get access to the
web server process until authentication has been approved and access
permitted. So unless, the SSL/TLS software can be hacked, the attacker can
not get in without valid credentials.
> -----Original Message-----
> From: David Endler [mailto:dendleridefense.com]
> Sent: Saturday, August 24, 2002 06:33 PM
> To: webmastercyberfly.net
> Cc: webappsecsecurityfocus.com
> Subject: RE: Warning: PHP 4.2 may put session ids in URLs
> Hi Peter,
> I don't quite see how HTTP Basic Authentication is any more
> secure than using "session authentication". In a sense,
> you're now doing entity authentication but your "session id"
> is now the base 64 encoding of the username and password
> transmitted in the HTTP header. In fact, I would say this is
> less secure.
> If the Basic Authentication string is captured, sniffed,
> MiTMed, etc., then the attacker can easily base64 decode the
> victim's username and password. This is worse than session
> hijacking in my mind. Especially if the user has the same
> credentials across multiple web applications.
> In general it is bad practice to maintain state or preserve
> authentication variables in the browser or webapp with any
> values in which the username or password can be reverse
> engineered. It *IS* possible for a secure session management
> scheme using traditional session id's:
> http://www.owasp.org/guide -> "Managing User Sessions" is a
> good starting point. The guide is currently being updated, so
> feedback is more than welcome.
> > -----Original Message-----
> > From: Peter Petermann [mailto:webmastercyberfly.net]
> > Sent: Saturday, August 24, 2002 11:38 AM
> > To: 'Sverre H. Huseby'
> > Cc: webappsecsecurityfocus.com
> > Subject: RE: Warning: PHP 4.2 may put session ids in URLs
> > Do not rely on session authentication
> > It is just insecure.
> > Even Cookies may read by others. So just dont do that.
> > For having a working, more secure authentication,
> > Use HTTP Base Authentication
> > (since you are using PHP, a view on
> > http://www.php.net/manual/en/features.http-auth.php could
> > Regards,
> > Peter Petermann