This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
From: efflandt@xnet.com (David Efflandt) Subject: Re: CGI for specific user only Reply-To: efflandt@xnet.com Organization: XNet Information Systems, Inc. References: <8mjhla$je0$1@newton.pacific.net.sg> <slrn8or0l2.sf7.efflandt@efflandt.xnet.com> <398ee78b.12921178@news.earthlink.net> Message-ID: <slrn8ouj7h.ej.efflandt@efflandt.xnet.com> Newsgroups: comp.infosystems.www.authoring.cgi Approved: Self-Moderation <authoring-cgi@boutell.com> NNTP-Posting-Host: 206.125.69.81 Date: 8 Aug 2000 00:58:00 -0600 X-Trace: 8 Aug 2000 00:58:00 -0600, 206.125.69.81 Lines: 63 X-Original-NNTP-Posting-Host: 204.157.220.254 Path: nntp.stanford.edu!newsfeed.stanford.edu!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!newsfeed.cwix.com!natasha.rmii.com!nntp-cust.primenet.com!huge.aa.net!206.125.69.81 Xref: nntp.stanford.edu comp.infosystems.www.authoring.cgi:91687 On 7 Aug 2000, Jon S. <jonceramic@nospammiesno.earthlink.net> wrote: :On 6 Aug 2000 08:23:17 -0600, efflandt@xnet.com (David Efflandt) :wrote: : ::Assuming you are talking about Apache, it is possible that you could put ::the protected scripts in a subdirectory of cgi-bin and put the same ::.htaccess using the same authentication there. As long as the AuthName, ::user and password are the same, you should not have to re-enter your ::password. : :and later... : ::If you cannot protect it with web authentication, it would be best to ::include a crypted password in the CGI. Include a field for the password ::in each form, crypt that with the crypted password, and make sure there is ::a match before accepting any data. CGI.pm makes it easy to pass the ::submitted plain text password on to subsequent forms as a visible or ::hidden field. Even if someone tried to cobble up their own form, it would ::not work without the correct password. I also like to put a 'name' and ::'domain' field on my initial login form and reject it if these contain ::anything, just to confuse anyone trying to crack it. : :David, : :I've been wondering about this lately as I'm writing my first "real" :scripts. : :Assuming I can set a user name and password through .htaccess to a :protected directory in my cgi-bin, is there any need to also put an :encrypted password check directly in those scripts? : :Is the .htaccess check very easy to crack? Well besides what Alan said, if all CGI runs as 'nobody' or similar, and requires 755 permission, then another local user could possibly load up the %ENV and run your scripts from the shell or their own CGI, since web authentication only applies to web access by URL, not local access by system path. If the server is running cgiwrap or the suexec option of apache, then you may be able to set CGI script permissions to 700 and data files to 600, but normal web pages and other files accessible by URL would typically still need 644 permission. If you cannot put your .htpasswd script outside of your webspace, you should at least put an .htaccess in that dir that says: order deny,allow deny from all Apache will still be able to access it for authentication (by system path), but nothing there would be accessible by URL (test it to make sure access for anything there is denied). -- David Efflandt efflandt@xnet.com http://www.de-srv.com/ http://www.autox.chicago.il.us/ http://www.berniesfloral.net/ http://hammer.prohosting.com/~cgi-wiz/ http://cgi-help.virtualave.net/ -- PLEASE NOTE: comp.infosystems.www.authoring.cgi is a SELF-MODERATED newsgroup. aa.net and boutell.com are NOT the originators of the articles and are NOT responsible for their content. You can SELF-APPROVE your first posting by writing the word 'passme' on a line by itself. From: jonceramic@nospammiesno.earthlink.net (Jon S.) Subject: Re: CGI for specific user only Reply-To: jonceramic@nospammiesno.earthlink.net (Jon S.) Organization: EarthLink Inc. -- http://www.EarthLink.net References: <8mjhla$je0$1@newton.pacific.net.sg> <slrn8or0l2.sf7.efflandt@efflandt.xnet.com> <398ee78b.12921178@news.earthlink.net> <Pine.GHP.4.21.0008071934500.16865-100000@hpplus03.cern.ch> <brian-ya02408000R0708002024460001@news.panix.com> Message-ID: <399044e6.10893856@news.earthlink.net> Newsgroups: comp.infosystems.www.authoring.cgi Approved: Self-Moderation <authoring-cgi@boutell.com> NNTP-Posting-Host: 206.125.69.81 Date: 8 Aug 2000 11:43:34 -0600 X-Trace: 8 Aug 2000 11:43:34 -0600, 206.125.69.81 Lines: 120 X-Original-NNTP-Posting-Host: 204.157.220.254 Path: nntp.stanford.edu!newsfeed.stanford.edu!cyclone.bc.net!newsfeed.direct.ca!look.ca!nntp.primenet.com!nntp.gblx.net!nntp-cust.primenet.com!huge.aa.net!206.125.69.81 Xref: nntp.stanford.edu comp.infosystems.www.authoring.cgi:91705 On 7 Aug 2000 17:24:35 -0600, brian@smithrenaud.com (brian d foy) wrote: :In article <Pine.GHP.4.21.0008071934500.16865-100000@hpplus03.cern.ch>, "Alan J. Flavell" <flavell@mail.cern.ch> posted: : :: On 7 Aug 2000, Jon S. wrote: : :: : Is the .htaccess check very easy to crack? : :: Basic authentication is trivial to sniff on the network, if network :: sniffing is feasible. : :but then, .htaccess and Basic authentication are not the same thing. : :of course, all of this is explained in the Apache docs. Okay, okay, enough of batting the newbie around like a couple of cats with a mouse. :) After lurking for months, I respect both of you guys enough to not want to piss you off and have you killfile me. I know that ".htaccess" doesn't automatically equal "basic authentication", and I understand what Alan and David say regarding the placement of the htpasswd file. Thank you. So, I'll try to defend myself by letting you know I've done _some_ homework. I've tried reading the various docs before, and I was just wondering how good the security was when you set up directory access through the password file and .htaccess. The original page I found months ago at http://hoohoo.ncsa.uiuc.edu/docs/tutorials/user.html says that because the password can be sent as "Basic HTTP Authentication" which is uuencoded and can be snagged by anyone with a packet sniffer. This is what Alan mentioned, right? But, I think I see this kind of authentication a lot. So, I'm wondering how big of a threat this is. One of the online trading services my inlaws use has this kind of authentication, AFAIK. And, if you can just snif out the response, aren't you asking for trouble? Especially if you use DSL or a cable modem? Is this issue something to worry about? It sounds to me like it sure could be. However, if someone's sniffing to get this username and password, wouldn't they also get the password I submit via a CGI form? I finally found out some info at the Apache site. First, I had to figure out that, even though ".htaccess" returns nothing on a search, "htaccess" does. Then, the list of documents are things like 'Access Control by URL http://www.apache.org/docs/location.html Ranking 500'. which really doesn't say "here's how to do it", they just show the protocols. Reading through those, I did find the link to http://www.apache.org/docs-1.2/mod/core.html which shows lots of the function names in the tutorials I've read. (Including the NCSA link I posted at the start.) I've tried to grok the core.html page a number of times, but it just hasn't gelled for me because it's pretty abstract on how to put it all together. Especially when you aren't the one configuring the server. Fortunately, you guys (Brian especially) kicked my ass in gear, and, with some more noodling, I find that the search function on the Apache page doesn't seem to include the FAQ. So, I searched it anyway, and I found http://www.apache.org/docs/misc/FAQ.html#user-authentication which points to an article http://www.apacheweek.com/features/userauth This is what I needed. Under security, the article says: ------------------------------------------------ Security and Digest Authentication While authentication does allow resources to be restricted to particular users, there are potential security issues. Some of these are: *Care must be taken to ensure that the resource is restricted against all methods. Use of <Limit GET>, for instance, leaves POST and other request methods unprotected. *The username and password are stored in a plain text file. While the password is encrypted, it is not completely safe against decryption, so the file should not be accessible to other users on the system. More importantly, it should not be placed under the document root where users from other sites could access it. *The username and password is as secure as any username/password system, in that end-users should not tells others their password, or write it down, or make it easily guessable. *The Basic authentication scheme transmits passwords across the Internet unencrypted, so they could be intercepted. The Digest method, see below, is intended to address this issue. The Digest Authentication scheme will make the sending of passwords across the Internet more secure. It effectively encrypts the password before it is sent such that the server can decrypt it. It works exactly the same as Basic authentication as far as the end-user and server administrator is concerned. The use of Digest authentication will depend on whether browser authors write it into their products. Apache can already do Digest authentication, when compiled with the mod_digest module (supplied with the Apache distribution). ------------------------------------------------ Okay, since that was written in 1996, has anything changed with any of the browsers regarding the Digest authentication? Can I use this to get around sniffing issues? Finally, just to be complete and flesh out deja.com, a couple of other tutorials I've book marked in the past include http://19south.com/faq/htaccess.html and http://bignosebird.com/passwd.shtml. The 19south.com tutorial has info on denying a IP address, getting a different default homepage than index.html, and preventing people from linking images (based solely on the referrer, which I've been told can be faked). Thanks again Brian and Alan. Jon -- PLEASE NOTE: comp.infosystems.www.authoring.cgi is a SELF-MODERATED newsgroup. aa.net and boutell.com are NOT the originators of the articles and are NOT responsible for their content. You can SELF-APPROVE your first posting by writing the word 'passme' on a line by itself. From: efflandt@xnet.com (David Efflandt) Subject: Re: CGI for specific user only Reply-To: efflandt@xnet.com Organization: XNet Information Systems, Inc. References: <8mjhla$je0$1@newton.pacific.net.sg> <slrn8or0l2.sf7.efflandt@efflandt.xnet.com> <398ee78b.12921178@news.earthlink.net> <Pine.GHP.4.21.0008071934500.16865-100000@hpplus03.cern.ch> <brian-ya02408000R0708002024460001@news.panix.com> <399044e6.10893856@news.earthlink.net> Message-ID: <slrn8p16hc.37f.efflandt@efflandt.xnet.com> Newsgroups: comp.infosystems.www.authoring.cgi Approved: Self-Moderation <authoring-cgi@boutell.com> NNTP-Posting-Host: 206.125.69.81 Date: 8 Aug 2000 16:40:11 -0600 X-Trace: 8 Aug 2000 16:40:11 -0600, 206.125.69.81 Lines: 34 X-Original-NNTP-Posting-Host: 204.157.220.254 Path: nntp.stanford.edu!newsfeed.stanford.edu!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!nntp.primenet.com!nntp.gblx.net!nntp-cust.primenet.com!huge.aa.net!206.125.69.81 Xref: nntp.stanford.edu comp.infosystems.www.authoring.cgi:91718 On 8 Aug 2000, Jon S. <jonceramic@nospammiesno.earthlink.net> wrote: :But, I think I see this kind of authentication a lot. So, I'm :wondering how big of a threat this is. One of the online trading :services my inlaws use has this kind of authentication, AFAIK. And, :if you can just snif out the response, aren't you asking for trouble? :Especially if you use DSL or a cable modem? Is this issue something :to worry about? It sounds to me like it sure could be. However, if :someone's sniffing to get this username and password, wouldn't they :also get the password I submit via a CGI form? Not to beat a dead horse, but if something like a shopping cart or bank or trading house needs secure authentication, they will use SSL (https://url). This will use encrypted passwords and data transfer. You should never enter credit card info on any form that just uses a plain http://url, only if it uses https (with the 's'). If I do something myself that needs to be secure, like a webshell.cgi that runs as me, I will use both, some form of authentication and checking my source IP (I have static PPP IP). The only time that was a problem was when a router on the internet was caching everything, and requests appeared to come from them. But we put a stop to that because they have no justification for caching CGI and other no-cache data. -- David Efflandt efflandt@xnet.com http://www.de-srv.com/ http://www.autox.chicago.il.us/ http://www.berniesfloral.net/ http://hammer.prohosting.com/~cgi-wiz/ http://cgi-help.virtualave.net/ -- PLEASE NOTE: comp.infosystems.www.authoring.cgi is a SELF-MODERATED newsgroup. aa.net and boutell.com are NOT the originators of the articles and are NOT responsible for their content. You can SELF-APPROVE your first posting by writing the word 'passme' on a line by itself. From: brian@smithrenaud.com (brian d foy) Subject: Re: CGI for specific user only Reply-To: brian@smithrenaud.com (brian d foy) Organization: PANIX Public Access Internet and UNIX, NYC References: <8mjhla$je0$1@newton.pacific.net.sg> <slrn8or0l2.sf7.efflandt@efflandt.xnet.com> <398ee78b.12921178@news.earthlink.net> <Pine.GHP.4.21.0008071934500.16865-100000@hpplus03.cern.ch> <brian-ya02408000R0708002024460001@news.panix.com> <399044e6.10893856@news.earthlink.net> <slrn8p16hc.37f.efflandt@efflandt.xnet.com> Message-ID: <brian-ya02408000R0808002201030001@news.panix.com> Newsgroups: comp.infosystems.www.authoring.cgi Approved: Self-Moderation <authoring-cgi@boutell.com> NNTP-Posting-Host: 206.125.69.81 Date: 8 Aug 2000 19:01:01 -0600 X-Trace: 8 Aug 2000 19:01:01 -0600, 206.125.69.81 Lines: 20 X-Original-NNTP-Posting-Host: 204.157.220.254 Path: nntp.stanford.edu!newsfeed.stanford.edu!cyclone.bc.net!newsfeed.direct.ca!look.ca!nntp.primenet.com!nntp.gblx.net!nntp-cust.primenet.com!huge.aa.net!206.125.69.81 Xref: nntp.stanford.edu comp.infosystems.www.authoring.cgi:91722 In article <slrn8p16hc.37f.efflandt@efflandt.xnet.com>, efflandt@xnet.com posted: : Not to beat a dead horse, but if something like a shopping cart or bank or : trading house needs secure authentication, they will use SSL : (https://url). This will use encrypted passwords and data transfer. it won't use encrypted passwords unless you tell it to do so and the browser supports that. the only difference is that the same transaction happens over a secure channnel. -- brian d foy CGI Meta FAQ <URL:http://www.smithrenaud.com/public/CGI_MetaFAQ.html> Perl Mongers <URL:http://www.perl.org/> -- PLEASE NOTE: comp.infosystems.www.authoring.cgi is a SELF-MODERATED newsgroup. aa.net and boutell.com are NOT the originators of the articles and are NOT responsible for their content. You can SELF-APPROVE your first posting by writing the word 'passme' on a line by itself. Path: nntp.stanford.edu!newsfeed.stanford.edu!headwall.stanford.edu!feeder.via.net!cyclone-sf.pbi.net!206.13.28.33!news.pacbell.net.POSTED!bigiain From: bigiain@mightymedia.com.au (Iain Chalmers) Newsgroups: comp.infosystems.www.authoring.cgi Subject: Re: CGI for specific user only Message-ID: <bigiain-0908001253530001@bigman.mighty.com.au> References: <8mjhla$je0$1@newton.pacific.net.sg> <slrn8or0l2.sf7.efflandt@efflandt.xnet.com> <398ee78b.12921178@news.earthlink.net> <Pine.GHP.4.21.0008071934500.16865-100000@hpplus03.cern.ch> <brian-ya02408000R0708002024460001@news.panix.com> <399044e6.10893856@news.earthlink.net> <slrn8p16hc.37f.efflandt@efflandt.xnet.com> Organization: Mighty Media X-Newsreader: MT-NewsWatcher 2.4.4 Approved: mein Luftkissenfahrzeug ist voll von den Aalen Lines: 14 Date: Wed, 09 Aug 2000 12:53:53 +1000 NNTP-Posting-Host: 61.8.7.114 X-Complaints-To: abuse@pacbell.net X-Trace: news.pacbell.net 965789614 61.8.7.114 (Tue, 08 Aug 2000 19:53:34 PDT) NNTP-Posting-Date: Tue, 08 Aug 2000 19:53:34 PDT Xref: nntp.stanford.edu comp.infosystems.www.authoring.cgi:91725 In article <slrn8p16hc.37f.efflandt@efflandt.xnet.com>, efflandt@xnet.com wrote: >You should never enter credit card info on any form that just uses a plain >http://url, only if it uses https (with the 's'). This is correct, but possibly misleading - the html page with the form can be served over an http connection. As long as the ACTION of the form is using https, the data will travel over an encrypted connection - even if the form is using the GET method (yes, unexpected (to me at least), but true - even the request_uri is encrypted for a https connection) cheers Iain From: jonceramic@nospammiesno.earthlink.net (Jon S.) Subject: Re: CGI for specific user only Reply-To: jonceramic@nospammiesno.earthlink.net (Jon S.) Organization: EarthLink Inc. -- http://www.EarthLink.net References: <8mjhla$je0$1@newton.pacific.net.sg> <slrn8or0l2.sf7.efflandt@efflandt.xnet.com> <398ee78b.12921178@news.earthlink.net> <Pine.GHP.4.21.0008071934500.16865-100000@hpplus03.cern.ch> <brian-ya02408000R0708002024460001@news.panix.com> <399044e6.10893856@news.earthlink.net> <slrn8p16hc.37f.efflandt@efflandt.xnet.com> Message-ID: <399188ac.12312880@news.earthlink.net> Newsgroups: comp.infosystems.www.authoring.cgi Approved: Self-Moderation <authoring-cgi@boutell.com> NNTP-Posting-Host: 206.125.69.81 Date: 9 Aug 2000 09:55:46 -0600 X-Trace: 9 Aug 2000 09:55:46 -0600, 206.125.69.81 Lines: 48 X-Original-NNTP-Posting-Host: 204.157.220.254 Path: nntp.stanford.edu!newsfeed.stanford.edu!logbridge.uoregon.edu!nntp.primenet.com!nntp.gblx.net!nntp-cust.primenet.com!huge.aa.net!206.125.69.81 Xref: nntp.stanford.edu comp.infosystems.www.authoring.cgi:91731 On 8 Aug 2000 16:40:11 -0600, efflandt@xnet.com (David Efflandt) wrote: :On 8 Aug 2000, Jon S. <jonceramic@nospammiesno.earthlink.net> wrote: ::But, I think I see this kind of authentication a lot. So, I'm ::wondering how big of a threat this is. One of the online trading ::services my inlaws use has this kind of authentication, AFAIK. And, ::if you can just snif out the response, aren't you asking for trouble? ::Especially if you use DSL or a cable modem? Is this issue something ::to worry about? It sounds to me like it sure could be. However, if ::someone's sniffing to get this username and password, wouldn't they ::also get the password I submit via a CGI form? : :Not to beat a dead horse, but if something like a shopping cart or bank or :trading house needs secure authentication, they will use SSL :(https://url). This will use encrypted passwords and data transfer. You :should never enter credit card info on any form that just uses a plain :http://url, only if it uses https (with the 's'). Just try to log into the datek.com investment site. It looks all the world to me like an unencrypted user authentication request. :If I do something myself that needs to be secure, like a webshell.cgi that :runs as me, I will use both, some form of authentication and checking my :source IP (I have static PPP IP). The only time that was a problem was :when a router on the internet was caching everything, and requests :appeared to come from them. But we put a stop to that because they have :no justification for caching CGI and other no-cache data. Thanks David. What you've said makes a lot of sense. If I wasn't already completely indebted to Stein for his books, FAQ's, and CGI.pm, I write him and ask him to expand his security FAQ with your posts on this. I mean, the FAQ covers it all, but for newbies who are just using a webhoster (there's got to be millions of us by now), it's tough to figure out a course of action by reading it. Of course, the second he wrote a "here's how to be safe" list, he'd get sued the second someone got hacked even though they did it all as listed. So, maybe not. Now I know what to aim for. Thanks again everyone. Jon -- PLEASE NOTE: comp.infosystems.www.authoring.cgi is a SELF-MODERATED newsgroup. aa.net and boutell.com are NOT the originators of the articles and are NOT responsible for their content. You can SELF-APPROVE your first posting by writing the word 'passme' on a line by itself. From: brian@smithrenaud.com (brian d foy) Subject: Re: CGI for specific user only Reply-To: brian@smithrenaud.com (brian d foy) Organization: PANIX Public Access Internet and UNIX, NYC References: <8mjhla$je0$1@newton.pacific.net.sg> <slrn8or0l2.sf7.efflandt@efflandt.xnet.com> <398ee78b.12921178@news.earthlink.net> <Pine.GHP.4.21.0008071934500.16865-100000@hpplus03.cern.ch> <brian-ya02408000R0708002024460001@news.panix.com> <399044e6.10893856@news.earthlink.net> <slrn8p16hc.37f.efflandt@efflandt.xnet.com> <bigiain-0908001253530001@bigman.mighty.com.au> Message-ID: <brian-ya02408000R0908001015550001@news.panix.com> Newsgroups: comp.infosystems.www.authoring.cgi Approved: Self-Moderation <authoring-cgi@boutell.com> NNTP-Posting-Host: 206.125.69.81 Date: 9 Aug 2000 14:02:24 -0600 X-Trace: 9 Aug 2000 14:02:24 -0600, 206.125.69.81 Lines: 26 X-Original-NNTP-Posting-Host: 204.157.220.254 Path: nntp.stanford.edu!newsfeed.stanford.edu!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!newsfeed.cwix.com!natasha.rmii.com!nntp-cust.primenet.com!huge.aa.net!206.125.69.81 Xref: nntp.stanford.edu comp.infosystems.www.authoring.cgi:91743 In article <bigiain-0908001253530001@bigman.mighty.com.au>, bigiain@mightymedia.com.au (Iain Chalmers) posted: : This is correct, but possibly misleading - the html page with the form can : be served over an http connection. As long as the ACTION of the form is : using https, the data will travel over an encrypted connection - even if : the form is using the GET method (yes, unexpected (to me at least), but : true - even the request_uri is encrypted for a https connection) why is that unexpected? the entire transaction uses the secure channel. the problem with GET is that form information shows up in the URI which is leaky. it will show up in server logs and referer strings which may not travel over secure channels, or be stored securely. -- brian d foy CGI Meta FAQ <URL:http://www.smithrenaud.com/public/CGI_MetaFAQ.html> Perl Mongers <URL:http://www.perl.org/> -- PLEASE NOTE: comp.infosystems.www.authoring.cgi is a SELF-MODERATED newsgroup. aa.net and boutell.com are NOT the originators of the articles and are NOT responsible for their content. You can SELF-APPROVE your first posting by writing the word 'passme' on a line by itself. Path: nntp.stanford.edu!newsfeed.stanford.edu!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!newsfeed.mathworks.com!cyclone.swbell.net!cyclone-sf.pbi.net!206.13.28.144!news.pacbell.net.POSTED!bigiain From: bigiain@mightymedia.com.au (Iain Chalmers) Newsgroups: comp.infosystems.www.authoring.cgi Subject: Re: CGI for specific user only Message-ID: <bigiain-1008001246120001@bigman.mighty.com.au> References: <8mjhla$je0$1@newton.pacific.net.sg> <slrn8or0l2.sf7.efflandt@efflandt.xnet.com> <398ee78b.12921178@news.earthlink.net> <Pine.GHP.4.21.0008071934500.16865-100000@hpplus03.cern.ch> <brian-ya02408000R0708002024460001@news.panix.com> <399044e6.10893856@news.earthlink.net> <slrn8p16hc.37f.efflandt@efflandt.xnet.com> <bigiain-0908001253530001@bigman.mighty.com.au> <brian-ya02408000R0908001015550001@news.panix.com> Organization: Mighty Media X-Newsreader: MT-NewsWatcher 2.4.4 Approved: mein Luftkissenfahrzeug ist voll von den Aalen Lines: 28 Date: Thu, 10 Aug 2000 12:46:12 +1000 NNTP-Posting-Host: 61.8.7.114 X-Complaints-To: abuse@pacbell.net X-Trace: news.pacbell.net 965875549 61.8.7.114 (Wed, 09 Aug 2000 19:45:49 PDT) NNTP-Posting-Date: Wed, 09 Aug 2000 19:45:49 PDT Xref: nntp.stanford.edu comp.infosystems.www.authoring.cgi:91750 In article <brian-ya02408000R0908001015550001@news.panix.com>, brian@smithrenaud.com (brian d foy) wrote: >In article <bigiain-0908001253530001@bigman.mighty.com.au>, bigiain@mightymedia.com.au (Iain Chalmers) posted: > >: This is correct, but possibly misleading - the html page with the form can >: be served over an http connection. As long as the ACTION of the form is >: using https, the data will travel over an encrypted connection - even if >: the form is using the GET method (yes, unexpected (to me at least), but >: true - even the request_uri is encrypted for a https connection) > >why is that unexpected? the entire transaction uses the secure >channel. <GRIN> Well, like I said, it was unexpected to me :-) For some reason, I made the (incorrect) assumption that because _I_ could see the form data from a GET request in the location bar on my browser, that the URI was going to the server in cleartext. By the time somebody corrected me for sprouting my unwarranted assumptions in public, I was _so_ convinced of what I "knew" that I had to resort to packet sniffing before I'd change my mind... Stubborn bastard, aren't I??? big From: "Alan J. Flavell" <flavell@mail.cern.ch> Subject: Re: CGI for specific user only Reply-To: "Alan J. Flavell" <flavell@mail.cern.ch> Organization: Knights of the Round Tuit References: <8mjhla$je0$1@newton.pacific.net.sg> <slrn8or0l2.sf7.efflandt@efflandt.xnet.com> <398ee78b.12921178@news.earthlink.net> <Pine.GHP.4.21.0008071934500.16865-100000@hpplus03.cern.ch> <brian-ya02408000R0708002024460001@news.panix.com> <399044e6.10893856@news.earthlink.net> Message-ID: <Pine.GHP.4.21.0008082120180.1369-100000@hpplus03.cern.ch> Newsgroups: comp.infosystems.www.authoring.cgi Approved: Self-Moderation <authoring-cgi@boutell.com> NNTP-Posting-Host: 206.125.69.81 Date: 12 Aug 2000 05:17:33 -0600 X-Trace: 12 Aug 2000 05:17:33 -0600, 206.125.69.81 Lines: 84 X-Original-NNTP-Posting-Host: 204.157.220.254 Path: nntp.stanford.edu!newsfeed.stanford.edu!cyclone.bc.net!newsfeed.direct.ca!look.ca!nntp.primenet.com!nntp.gblx.net!nntp-cust.primenet.com!huge.aa.net!206.125.69.81 Xref: nntp.stanford.edu comp.infosystems.www.authoring.cgi:91787 [a belated followup that will basically only confirm what others have said...] On 8 Aug 2000, Jon S. wrote: [..] : through the password file and .htaccess. The original page I found : months ago at http://hoohoo.ncsa.uiuc.edu/docs/tutorials/user.html : says that because the password can be sent as "Basic HTTP : Authentication" which is uuencoded and can be snagged by anyone with a : packet sniffer. This is what Alan mentioned, right? Correct. However, it's about the only method that's widely supported by browsers. If you want to protect that authentication method against network sniffing, then you'd need to run it over HTTPS (SSL-encrypted HTTP) rather than plain HTTP. : But, I think I see this kind of authentication a lot. Yup. : However, if : someone's sniffing to get this username and password, wouldn't they : also get the password I submit via a CGI form? Sure. I don't recommend knitting your own security checks, but if you do, then you gotta be more resourceful than that, e.g sending the browser some executable code (I guess java or javascript could do it) that encrypts the user input using some kind of salt sent by the server, before sending it over the net to the server. That way, someone who sniffed the transaction and tried to use it again would get sent a different salt and would fail the new challenge. But as I say, I do NOT recommend knitting your own. Security is too important to be taken on by amateurs like you and me, and "security by obscurity" is ultimately a dead-end: once the secret is out, you have to start again. The only good security is one with a widely known and documented and peer-reviewed technique, that has been designed to be inherently secure. Otherwise it's little better than 'hiding' the key under the doormat. : Reading through those, I did find the link to : http://www.apache.org/docs-1.2/mod/core.html which shows lots of the : function names in the tutorials I've read. I was going to recommend the tutorials at apacheweek, but I see that you've found them already. Good. : *Care must be taken to ensure that the resource is restricted against : all methods. Use of <Limit GET>, for instance, leaves POST and other : request methods unprotected. Absolutely. Read recent Apache documentation carefully again on that point (the wording has been carefully hammered out in an attempt to explain this widely-misunderstood feature). : *The username and password are stored in a plain text file. While the : password is encrypted, it is not completely safe against decryption, : so the file should not be accessible to other users on the system. Yup, that's what I meant about "cracking" it. : The Digest Authentication scheme will make the sending of passwords : across the Internet more secure. As far as I'm aware, this hasn't gotten widely implemented. But maybe I just haven't been watching hard enough. Sorry: when I don't really know the answer, I think it's safer to be honest than to try to bluff my way through... perhaps someone else knows what the client implementation status is? cheers -- PLEASE NOTE: comp.infosystems.www.authoring.cgi is a SELF-MODERATED newsgroup. aa.net and boutell.com are NOT the originators of the articles and are NOT responsible for their content. You can SELF-APPROVE your first posting by writing the word 'passme' on a line by itself. From: jonceramic@nospammiesno.earthlink.net (Jon S.) Subject: Re: CGI for specific user only Reply-To: jonceramic@nospammiesno.earthlink.net (Jon S.) Organization: EarthLink Inc. -- http://www.EarthLink.net References: <8mjhla$je0$1@newton.pacific.net.sg> <slrn8or0l2.sf7.efflandt@efflandt.xnet.com> <398ee78b.12921178@news.earthlink.net> <Pine.GHP.4.21.0008071934500.16865-100000@hpplus03.cern.ch> <brian-ya02408000R0708002024460001@news.panix.com> <399044e6.10893856@news.earthlink.net> <Pine.GHP.4.21.0008082120180.1369-100000@hpplus03.cern.ch> Message-ID: <3997f9ea.2106426@news.earthlink.net> Newsgroups: comp.infosystems.www.authoring.cgi Approved: Self-Moderation <authoring-cgi@boutell.com> NNTP-Posting-Host: 206.125.69.81 Date: 14 Aug 2000 07:21:16 -0600 X-Trace: 14 Aug 2000 07:21:16 -0600, 206.125.69.81 Lines: 38 X-Original-NNTP-Posting-Host: 204.157.220.254 Path: nntp.stanford.edu!newsfeed.stanford.edu!cyclone.bc.net!newsfeed.direct.ca!look.ca!nntp.primenet.com!nntp.gblx.net!nntp-cust.primenet.com!huge.aa.net!206.125.69.81 Xref: nntp.stanford.edu comp.infosystems.www.authoring.cgi:91827 On 12 Aug 2000 05:17:33 -0600, "Alan J. Flavell" <flavell@mail.cern.ch> wrote: :[a belated followup that will basically only confirm what others have :said...] Thanks Alan, I just have one more question, you said... :But as I say, I do NOT recommend knitting your own. Security is too :important to be taken on by amateurs like you and me, and "security by :obscurity" is ultimately a dead-end: once the secret is out, you have :to start again. The only good security is one with a widely known and :documented and peer-reviewed technique, that has been designed to be :inherently secure. Otherwise it's little better than 'hiding' the key :under the doormat. Okay, so this sounds nearly like a paradox though. I mean, there doesn't seem to be much out there for a new other than an ht password file in a safe place on your directory and doing a secondary quick "password" field in a form passed via https. For newbies, does it all boil down to just those two techniques combined? To add complication, to get https via my lowend webhosting package, I have to use a completely separate server which looks really lousy and hoses my image generation scheme. (It's a URL from hell on a completely different server farm.) Oh well, for administration scripts, I guess it's not such a big deal. Thanks again everyone, Jon -- PLEASE NOTE: comp.infosystems.www.authoring.cgi is a SELF-MODERATED newsgroup. aa.net and boutell.com are NOT the originators of the articles and are NOT responsible for their content. You can SELF-APPROVE your first posting by writing the word 'passme' on a line by itself. From: brian@smithrenaud.com (brian d foy) Subject: Re: CGI for specific user only Reply-To: brian@smithrenaud.com (brian d foy) Organization: PANIX Public Access Internet and UNIX, NYC References: <8mjhla$je0$1@newton.pacific.net.sg> <slrn8or0l2.sf7.efflandt@efflandt.xnet.com> <398ee78b.12921178@news.earthlink.net> <Pine.GHP.4.21.0008071934500.16865-100000@hpplus03.cern.ch> <brian-ya02408000R0708002024460001@news.panix.com> <399044e6.10893856@news.earthlink.net> <Pine.GHP.4.21.0008082120180.1369-100000@hpplus03.cern.ch> <3997f9ea.2106426@news.earthlink.net> Message-ID: <brian-ya02408000R1408001418210001@news.panix.com> Newsgroups: comp.infosystems.www.authoring.cgi Approved: Self-Moderation <authoring-cgi@boutell.com> NNTP-Posting-Host: 206.125.69.81 Date: 14 Aug 2000 11:19:20 -0600 X-Trace: 14 Aug 2000 11:19:20 -0600, 206.125.69.81 Lines: 26 X-Original-NNTP-Posting-Host: 204.157.220.254 Path: nntp.stanford.edu!newsfeed.stanford.edu!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!newspeer1.nac.net!newsfeed.nwlink.com!huge.aa.net!206.125.69.81 Xref: nntp.stanford.edu comp.infosystems.www.authoring.cgi:91835 In article <3997f9ea.2106426@news.earthlink.net>, jonceramic@nospammiesno.earthlink.net (Jon S.) posted: : Okay, so this sounds nearly like a paradox though. I mean, there : doesn't seem to be much out there for a new other than an ht password : file in a safe place on your directory and doing a secondary quick : "password" field in a form passed via https. you are more limited by the user-agent's features than you are by the servers. : To add complication, to get https via my lowend webhosting package, I : have to use a completely separate server which looks really lousy and : hoses my image generation scheme. that sounds like a business problem rather than a technology problem. -- brian d foy CGI Meta FAQ <URL:http://www.smithrenaud.com/public/CGI_MetaFAQ.html> Perl Mongers <URL:http://www.perl.org/> -- PLEASE NOTE: comp.infosystems.www.authoring.cgi is a SELF-MODERATED newsgroup. aa.net and boutell.com are NOT the originators of the articles and are NOT responsible for their content. You can SELF-APPROVE your first posting by writing the word 'passme' on a line by itself. From: Michael Wines <u199909@purethought.com> Subject: Re: CGI for specific user only Reply-To: Michael Wines <u199909@purethought.com> Organization: Pure Thought References: <8mjhla$je0$1@newton.pacific.net.sg> <slrn8or0l2.sf7.efflandt@efflandt.xnet.com> <398ee78b.12921178@news.earthlink.net> <Pine.GHP.4.21.0008071934500.16865-100000@hpplus03.cern.ch> <brian-ya02408000R0708002024460001@news.panix.com> <399044e6.10893856@news.earthlink.net> <Pine.GHP.4.21.0008082120180.1369-100000@hpplus03.cern.ch> <3997f9ea.2106426@news.earthlink.net> Message-ID: <3999263E.795E3FDF@purethought.com> Newsgroups: comp.infosystems.www.authoring.cgi Approved: Self-Moderation <authoring-cgi@boutell.com> NNTP-Posting-Host: 206.125.69.81 Date: 15 Aug 2000 04:12:41 -0600 X-Trace: 15 Aug 2000 04:12:41 -0600, 206.125.69.81 Lines: 39 X-Original-NNTP-Posting-Host: 204.157.220.254 Path: nntp.stanford.edu!newsfeed.stanford.edu!logbridge.uoregon.edu!nntp.primenet.com!nntp.gblx.net!nntp-cust.primenet.com!huge.aa.net!206.125.69.81 Xref: nntp.stanford.edu comp.infosystems.www.authoring.cgi:91862 "Jon S." wrote: : : On 12 Aug 2000 05:17:33 -0600, "Alan J. Flavell" : <flavell@mail.cern.ch> wrote: : :[a belated followup that will basically only confirm what others have : :said...] : : Thanks Alan, I just have one more question, you said... : : :But as I say, I do NOT recommend knitting your own. Security is too : :important to be taken on by amateurs like you and me, and "security by : :obscurity" is ultimately a dead-end: once the secret is out, you have : :to start again. The only good security is one with a widely known and : :documented and peer-reviewed technique, that has been designed to be : :inherently secure. Otherwise it's little better than 'hiding' the key : :under the doormat. : : Okay, so this sounds nearly like a paradox though. I mean, there : doesn't seem to be much out there for a new other than an ht password : file in a safe place on your directory : and doing a secondary quick : "password" field in a form passed via https. Don't do that. https will encrypt the Basic Authentication credentials (what you call htpassword), so there is no need to have a password field in a form. : For newbies, does it all boil down to just those two techniques : combined? It works. -- PLEASE NOTE: comp.infosystems.www.authoring.cgi is a SELF-MODERATED newsgroup. aa.net and boutell.com are NOT the originators of the articles and are NOT responsible for their content. You can SELF-APPROVE your first posting by writing the word 'passme' on a line by itself. From: jonceramic@nospammiesno.earthlink.net (Jon S.) Subject: Re: CGI for specific user only Reply-To: jonceramic@nospammiesno.earthlink.net (Jon S.) Organization: EarthLink Inc. -- http://www.EarthLink.net References: <8mjhla$je0$1@newton.pacific.net.sg> <slrn8or0l2.sf7.efflandt@efflandt.xnet.com> <398ee78b.12921178@news.earthlink.net> <Pine.GHP.4.21.0008071934500.16865-100000@hpplus03.cern.ch> <brian-ya02408000R0708002024460001@news.panix.com> <399044e6.10893856@news.earthlink.net> <Pine.GHP.4.21.0008082120180.1369-100000@hpplus03.cern.ch> <3997f9ea.2106426@news.earthlink.net> <brian-ya02408000R1408001418210001@news.panix.com> Message-ID: <39995522.4909141@news.earthlink.net> Newsgroups: comp.infosystems.www.authoring.cgi Approved: Self-Moderation <authoring-cgi@boutell.com> NNTP-Posting-Host: 206.125.69.81 Date: 15 Aug 2000 07:39:10 -0600 X-Trace: 15 Aug 2000 07:39:10 -0600, 206.125.69.81 Lines: 30 X-Original-NNTP-Posting-Host: 204.157.220.254 Path: nntp.stanford.edu!newsfeed.stanford.edu!logbridge.uoregon.edu!newsfeed.direct.ca!look.ca!nntp.primenet.com!nntp.gblx.net!nntp-cust.primenet.com!huge.aa.net!206.125.69.81 Xref: nntp.stanford.edu comp.infosystems.www.authoring.cgi:91864 On 14 Aug 2000 11:19:20 -0600, brian@smithrenaud.com (brian d foy) wrote: :In article <3997f9ea.2106426@news.earthlink.net>, jonceramic@nospammiesno.earthlink.net (Jon S.) posted: : :: Okay, so this sounds nearly like a paradox though. I mean, there :: doesn't seem to be much out there for a new other than an ht password :: file in a safe place on your directory and doing a secondary quick :: "password" field in a form passed via https. : :you are more limited by the user-agent's features than you are by :the servers. got it. :: To add complication, to get https via my lowend webhosting package, I :: have to use a completely separate server which looks really lousy and :: hoses my image generation scheme. : :that sounds like a business problem rather than a technology problem. Certainly is. But, I'm living with it... Jon -- PLEASE NOTE: comp.infosystems.www.authoring.cgi is a SELF-MODERATED newsgroup. aa.net and boutell.com are NOT the originators of the articles and are NOT responsible for their content. You can SELF-APPROVE your first posting by writing the word 'passme' on a line by itself. From: jonceramic@nospammiesno.earthlink.net (Jon S.) Subject: Re: CGI for specific user only Reply-To: jonceramic@nospammiesno.earthlink.net (Jon S.) Organization: EarthLink Inc. -- http://www.EarthLink.net References: <8mjhla$je0$1@newton.pacific.net.sg> <slrn8or0l2.sf7.efflandt@efflandt.xnet.com> <398ee78b.12921178@news.earthlink.net> <Pine.GHP.4.21.0008071934500.16865-100000@hpplus03.cern.ch> <brian-ya02408000R0708002024460001@news.panix.com> <399044e6.10893856@news.earthlink.net> <Pine.GHP.4.21.0008082120180.1369-100000@hpplus03.cern.ch> <3997f9ea.2106426@news.earthlink.net> <3999263E.795E3FDF@purethought.com> Message-ID: <3999556b.4982233@news.earthlink.net> Newsgroups: comp.infosystems.www.authoring.cgi Approved: Self-Moderation <authoring-cgi@boutell.com> NNTP-Posting-Host: 206.125.69.81 Date: 15 Aug 2000 07:42:39 -0600 X-Trace: 15 Aug 2000 07:42:39 -0600, 206.125.69.81 Lines: 53 X-Original-NNTP-Posting-Host: 204.157.220.254 Path: nntp.stanford.edu!newsfeed.stanford.edu!headwall.stanford.edu!feeder.via.net!news.he.net!nntp.primenet.com!nntp.gblx.net!nntp-cust.primenet.com!huge.aa.net!206.125.69.81 Xref: nntp.stanford.edu comp.infosystems.www.authoring.cgi:91865 On 15 Aug 2000 04:12:41 -0600, Michael Wines <u199909@purethought.com> wrote: :"Jon S." wrote: :: :: On 12 Aug 2000 05:17:33 -0600, "Alan J. Flavell" :: <flavell@mail.cern.ch> wrote: :: :[a belated followup that will basically only confirm what others have :: :said...] :: :: Thanks Alan, I just have one more question, you said... :: :: :But as I say, I do NOT recommend knitting your own. Security is too :: :important to be taken on by amateurs like you and me, and "security by :: :obscurity" is ultimately a dead-end: once the secret is out, you have :: :to start again. The only good security is one with a widely known and :: :documented and peer-reviewed technique, that has been designed to be :: :inherently secure. Otherwise it's little better than 'hiding' the key :: :under the doormat. :: :: Okay, so this sounds nearly like a paradox though. I mean, there :: doesn't seem to be much out there for a new other than an ht password :: file in a safe place on your directory : :: and doing a secondary quick :: "password" field in a form passed via https. : :Don't do that. https will encrypt the Basic Authentication credentials :(what you call htpassword), so there is no need to have a password :field in a form. Ok. I think I understand. To get this, I have to request the password protected file with https, and once the request is set up, the browser and server decide on the SSL, and everything until I break that is encrypted? That's all it takes? The basic authentication stays inside the https "wrapping"? :: For newbies, does it all boil down to just those two techniques :: combined? : :It works. :) Well, that's all I really need to know then. Thanks again all, Jon -- PLEASE NOTE: comp.infosystems.www.authoring.cgi is a SELF-MODERATED newsgroup. aa.net and boutell.com are NOT the originators of the articles and are NOT responsible for their content. You can SELF-APPROVE your first posting by writing the word 'passme' on a line by itself. From: brian@smithrenaud.com (brian d foy) Subject: Re: CGI for specific user only Reply-To: brian@smithrenaud.com (brian d foy) Organization: PANIX Public Access Internet and UNIX, NYC References: <8mjhla$je0$1@newton.pacific.net.sg> <slrn8or0l2.sf7.efflandt@efflandt.xnet.com> <398ee78b.12921178@news.earthlink.net> <Pine.GHP.4.21.0008071934500.16865-100000@hpplus03.cern.ch> <brian-ya02408000R0708002024460001@news.panix.com> <399044e6.10893856@news.earthlink.net> <Pine.GHP.4.21.0008082120180.1369-100000@hpplus03.cern.ch> <3997f9ea.2106426@news.earthlink.net> <3999263E.795E3FDF@purethought.com> Message-ID: <brian-ya02408000R1508001550030001@news.panix.com> Newsgroups: comp.infosystems.www.authoring.cgi Approved: Self-Moderation <authoring-cgi@boutell.com> NNTP-Posting-Host: 206.125.69.81 Date: 15 Aug 2000 12:50:37 -0600 X-Trace: 15 Aug 2000 12:50:37 -0600, 206.125.69.81 Lines: 19 X-Original-NNTP-Posting-Host: 204.157.220.254 Path: nntp.stanford.edu!newsfeed.stanford.edu!bloom-beacon.mit.edu!newsswitch.lcs.mit.edu!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!nntp.primenet.com!nntp.gblx.net!nntp-cust.primenet.com!huge.aa.net!206.125.69.81 Xref: nntp.stanford.edu comp.infosystems.www.authoring.cgi:91875 In article <3999263E.795E3FDF@purethought.com>, Michael Wines <u199909@purethought.com> posted: : Don't do that. https will encrypt the Basic Authentication credentials : (what you call htpassword), so there is no need to have a password : field in a form. the password HTML widget has nothing to do with encryption, so the use of encryption does not deprecate it. -- brian d foy CGI Meta FAQ <URL:http://www.smithrenaud.com/public/CGI_MetaFAQ.html> Perl Mongers <URL:http://www.perl.org/> -- PLEASE NOTE: comp.infosystems.www.authoring.cgi is a SELF-MODERATED newsgroup. aa.net and boutell.com are NOT the originators of the articles and are NOT responsible for their content. You can SELF-APPROVE your first posting by writing the word 'passme' on a line by itself.