cgi-authentication

This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.



From: efflandt@xnet.com (David Efflandt)
Subject: Re: CGI for specific user only
Reply-To: efflandt@xnet.com
Organization: XNet Information Systems, Inc.
References: <8mjhla$je0$1@newton.pacific.net.sg> <slrn8or0l2.sf7.efflandt@efflandt.xnet.com> <398ee78b.12921178@news.earthlink.net>
Message-ID: <slrn8ouj7h.ej.efflandt@efflandt.xnet.com>
Newsgroups: comp.infosystems.www.authoring.cgi
Approved: Self-Moderation <authoring-cgi@boutell.com>
NNTP-Posting-Host: 206.125.69.81
Date: 8 Aug 2000 00:58:00 -0600
X-Trace: 8 Aug 2000 00:58:00 -0600, 206.125.69.81
Lines: 63
X-Original-NNTP-Posting-Host: 204.157.220.254
Path: nntp.stanford.edu!newsfeed.stanford.edu!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!newsfeed.cwix.com!natasha.rmii.com!nntp-cust.primenet.com!huge.aa.net!206.125.69.81
Xref: nntp.stanford.edu comp.infosystems.www.authoring.cgi:91687

On 7 Aug 2000, Jon S. <jonceramic@nospammiesno.earthlink.net> wrote:
:On 6 Aug 2000 08:23:17 -0600, efflandt@xnet.com (David Efflandt)
:wrote:
:
::Assuming you are talking about Apache, it is possible that you could put
::the protected scripts in a subdirectory of cgi-bin and put the same
::.htaccess using the same authentication there.  As long as the AuthName,
::user and password are the same, you should not have to re-enter your
::password.
:
:and later...
:
::If you cannot protect it with web authentication, it would be best to
::include a crypted password in the CGI.  Include a field for the password
::in each form, crypt that with the crypted password, and make sure there is
::a match before accepting any data.  CGI.pm makes it easy to pass the
::submitted plain text password on to subsequent forms as a visible or
::hidden field.  Even if someone tried to cobble up their own form, it would
::not work without the correct password.  I also like to put a 'name' and
::'domain' field on my initial login form and reject it if these contain
::anything, just to confuse anyone trying to crack it.
:
:David,
:
:I've been wondering about this lately as I'm writing my first "real"
:scripts.
:
:Assuming I can set a user name and password through .htaccess to a
:protected directory in my cgi-bin, is there any need to also put an
:encrypted password check directly in those scripts?
:
:Is the .htaccess check very easy to crack?

Well besides what Alan said, if all CGI runs as 'nobody' or similar, and
requires 755 permission, then another local user could possibly load up
the %ENV and run your scripts from the shell or their own CGI, since web
authentication only applies to web access by URL, not local access by
system path.  If the server is running cgiwrap or the suexec option of
apache, then you may be able to set CGI script permissions to 700 and data
files to 600, but normal web pages and other files accessible by URL would
typically still need 644 permission.

If you cannot put your .htpasswd script outside of your webspace, you
should at least put an .htaccess in that dir that says:

order deny,allow
deny from all

Apache will still be able to access it for authentication (by system
path), but nothing there would be accessible by URL (test it to make sure 
access for anything there is denied).

-- 
David Efflandt  efflandt@xnet.com  http://www.de-srv.com/
http://www.autox.chicago.il.us/  http://www.berniesfloral.net/
http://hammer.prohosting.com/~cgi-wiz/  http://cgi-help.virtualave.net/

--
PLEASE NOTE: comp.infosystems.www.authoring.cgi is a
SELF-MODERATED newsgroup. aa.net and boutell.com are
NOT the originators of the articles and are NOT responsible
for their content. You can SELF-APPROVE your first posting
by writing the word 'passme' on a line by itself.

From: jonceramic@nospammiesno.earthlink.net (Jon S.)
Subject: Re: CGI for specific user only
Reply-To: jonceramic@nospammiesno.earthlink.net (Jon S.)
Organization: EarthLink Inc. -- http://www.EarthLink.net
References: <8mjhla$je0$1@newton.pacific.net.sg> <slrn8or0l2.sf7.efflandt@efflandt.xnet.com> <398ee78b.12921178@news.earthlink.net> <Pine.GHP.4.21.0008071934500.16865-100000@hpplus03.cern.ch> <brian-ya02408000R0708002024460001@news.panix.com>
Message-ID: <399044e6.10893856@news.earthlink.net>
Newsgroups: comp.infosystems.www.authoring.cgi
Approved: Self-Moderation <authoring-cgi@boutell.com>
NNTP-Posting-Host: 206.125.69.81
Date: 8 Aug 2000 11:43:34 -0600
X-Trace: 8 Aug 2000 11:43:34 -0600, 206.125.69.81
Lines: 120
X-Original-NNTP-Posting-Host: 204.157.220.254
Path: nntp.stanford.edu!newsfeed.stanford.edu!cyclone.bc.net!newsfeed.direct.ca!look.ca!nntp.primenet.com!nntp.gblx.net!nntp-cust.primenet.com!huge.aa.net!206.125.69.81
Xref: nntp.stanford.edu comp.infosystems.www.authoring.cgi:91705

On 7 Aug 2000 17:24:35 -0600, brian@smithrenaud.com (brian d foy)
wrote:

:In article <Pine.GHP.4.21.0008071934500.16865-100000@hpplus03.cern.ch>, "Alan J. Flavell" <flavell@mail.cern.ch> posted:
:
:: On 7 Aug 2000, Jon S. wrote:
: 
:: : Is the .htaccess check very easy to crack?
:
:: Basic authentication is trivial to sniff on the network, if network
:: sniffing is feasible.
:
:but then, .htaccess and Basic authentication are not the same thing.
:
:of course, all of this is explained in the Apache docs.

Okay, okay, enough of batting the newbie around like a couple of cats
with a mouse.  :)  After lurking for months, I respect both of you
guys enough to not want to piss you off and have you killfile me.

I know that ".htaccess" doesn't automatically equal "basic
authentication", and I understand what Alan and David say regarding
the placement of the htpasswd file.  Thank you.

So, I'll try to defend myself by letting you know I've done _some_
homework.  I've tried reading the various docs before, and I was just
wondering how good the security was when you set up directory access
through the password file and .htaccess.  The original page I found
months ago at http://hoohoo.ncsa.uiuc.edu/docs/tutorials/user.html
says that because the password can be sent as "Basic HTTP
Authentication" which is uuencoded and can be snagged by anyone with a
packet sniffer.  This is what Alan mentioned, right?

But, I think I see this kind of authentication a lot.  So, I'm
wondering how big of a threat this is.  One of the online trading
services my inlaws use has this kind of authentication, AFAIK.  And,
if you can just snif out the response, aren't you asking for trouble?
Especially if you use DSL or a cable modem?  Is this issue something
to worry about?  It sounds to me like it sure could be.  However, if
someone's sniffing to get this username and password, wouldn't they
also get the password I submit via a CGI form?

I finally found out some info at the Apache site.  First, I had to
figure out that, even though ".htaccess" returns nothing on a search,
"htaccess" does.  Then, the list of documents are things like 'Access
Control by URL http://www.apache.org/docs/location.html Ranking 500'.
which really doesn't say "here's how to do it", they just show the
protocols.

Reading through those, I did find the link to
http://www.apache.org/docs-1.2/mod/core.html which shows lots of the
function names in the tutorials I've read.  (Including the NCSA link I
posted at the start.)  I've tried to grok the core.html page a number
of times, but it just hasn't gelled for me because it's pretty
abstract on how to put it all together.  Especially when you aren't
the one configuring the server.

Fortunately, you guys (Brian especially) kicked my ass in gear, and,
with some more noodling, I find that the search function on the Apache
page doesn't seem to include the FAQ.  So, I searched it anyway, and I
found http://www.apache.org/docs/misc/FAQ.html#user-authentication
which points to an article http://www.apacheweek.com/features/userauth

This is what I needed.

Under security, the article says:
------------------------------------------------
Security and Digest Authentication

While authentication does allow resources to be restricted to
particular users, there are potential security issues. Some of these
are: 
*Care must be taken to ensure that the resource is restricted against
all methods. Use of <Limit GET>, for instance, leaves POST and other
request methods unprotected. 
*The username and password are stored in a plain text file. While the
password is encrypted, it is not completely safe against decryption,
so the file should not be accessible to other users on the system.
More importantly, it should not be placed under the document root
where users from other sites could access it. 
*The username and password is as secure as any username/password
system, in that end-users should not tells others their password, or
write it down, or make it easily guessable. 
*The Basic authentication scheme transmits passwords across the
Internet unencrypted, so they could be intercepted. The Digest method,
see below, is intended to address this issue. 

The Digest Authentication scheme will make the sending of passwords
across the Internet more secure. It effectively encrypts the password
before it is sent such that the server can decrypt it. It works
exactly the same as Basic authentication as far as the end-user and
server administrator is concerned. The use of Digest authentication
will depend on whether browser authors write it into their products.
Apache can already do Digest authentication, when compiled with the
mod_digest module (supplied with the Apache distribution). 
------------------------------------------------

Okay, since that was written in 1996, has anything changed with any of
the browsers regarding the Digest authentication?  Can I use this to
get around sniffing issues?

Finally, just to be complete and flesh out deja.com, a couple of other
tutorials I've book marked in the past include
http://19south.com/faq/htaccess.html and
http://bignosebird.com/passwd.shtml.

The 19south.com tutorial has info on denying a IP address, getting a
different default homepage than index.html, and preventing people from
linking images (based solely on the referrer, which I've been told can
be faked).

Thanks again Brian and Alan.

Jon
--
PLEASE NOTE: comp.infosystems.www.authoring.cgi is a
SELF-MODERATED newsgroup. aa.net and boutell.com are
NOT the originators of the articles and are NOT responsible
for their content. You can SELF-APPROVE your first posting
by writing the word 'passme' on a line by itself.

From: efflandt@xnet.com (David Efflandt)
Subject: Re: CGI for specific user only
Reply-To: efflandt@xnet.com
Organization: XNet Information Systems, Inc.
References: <8mjhla$je0$1@newton.pacific.net.sg> <slrn8or0l2.sf7.efflandt@efflandt.xnet.com> <398ee78b.12921178@news.earthlink.net> <Pine.GHP.4.21.0008071934500.16865-100000@hpplus03.cern.ch> <brian-ya02408000R0708002024460001@news.panix.com> <399044e6.10893856@news.earthlink.net>
Message-ID: <slrn8p16hc.37f.efflandt@efflandt.xnet.com>
Newsgroups: comp.infosystems.www.authoring.cgi
Approved: Self-Moderation <authoring-cgi@boutell.com>
NNTP-Posting-Host: 206.125.69.81
Date: 8 Aug 2000 16:40:11 -0600
X-Trace: 8 Aug 2000 16:40:11 -0600, 206.125.69.81
Lines: 34
X-Original-NNTP-Posting-Host: 204.157.220.254
Path: nntp.stanford.edu!newsfeed.stanford.edu!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!nntp.primenet.com!nntp.gblx.net!nntp-cust.primenet.com!huge.aa.net!206.125.69.81
Xref: nntp.stanford.edu comp.infosystems.www.authoring.cgi:91718

On 8 Aug 2000, Jon S. <jonceramic@nospammiesno.earthlink.net> wrote:
:But, I think I see this kind of authentication a lot.  So, I'm
:wondering how big of a threat this is.  One of the online trading
:services my inlaws use has this kind of authentication, AFAIK.  And,
:if you can just snif out the response, aren't you asking for trouble?
:Especially if you use DSL or a cable modem?  Is this issue something
:to worry about?  It sounds to me like it sure could be.  However, if
:someone's sniffing to get this username and password, wouldn't they
:also get the password I submit via a CGI form?

Not to beat a dead horse, but if something like a shopping cart or bank or
trading house needs secure authentication, they will use SSL
(https://url).  This will use encrypted passwords and data transfer.  You
should never enter credit card info on any form that just uses a plain
http://url, only if it uses https (with the 's').

If I do something myself that needs to be secure, like a webshell.cgi that
runs as me, I will use both, some form of authentication and checking my
source IP (I have static PPP IP).  The only time that was a problem was
when a router on the internet was caching everything, and requests
appeared to come from them.  But we put a stop to that because they have
no justification for caching CGI and other no-cache data.

-- 
David Efflandt  efflandt@xnet.com  http://www.de-srv.com/
http://www.autox.chicago.il.us/  http://www.berniesfloral.net/
http://hammer.prohosting.com/~cgi-wiz/  http://cgi-help.virtualave.net/

--
PLEASE NOTE: comp.infosystems.www.authoring.cgi is a
SELF-MODERATED newsgroup. aa.net and boutell.com are
NOT the originators of the articles and are NOT responsible
for their content. You can SELF-APPROVE your first posting
by writing the word 'passme' on a line by itself.

From: brian@smithrenaud.com (brian d foy)
Subject: Re: CGI for specific user only
Reply-To: brian@smithrenaud.com (brian d foy)
Organization: PANIX Public Access Internet and UNIX, NYC
References: <8mjhla$je0$1@newton.pacific.net.sg> <slrn8or0l2.sf7.efflandt@efflandt.xnet.com> <398ee78b.12921178@news.earthlink.net> <Pine.GHP.4.21.0008071934500.16865-100000@hpplus03.cern.ch> <brian-ya02408000R0708002024460001@news.panix.com> <399044e6.10893856@news.earthlink.net> <slrn8p16hc.37f.efflandt@efflandt.xnet.com>
Message-ID: <brian-ya02408000R0808002201030001@news.panix.com>
Newsgroups: comp.infosystems.www.authoring.cgi
Approved: Self-Moderation <authoring-cgi@boutell.com>
NNTP-Posting-Host: 206.125.69.81
Date: 8 Aug 2000 19:01:01 -0600
X-Trace: 8 Aug 2000 19:01:01 -0600, 206.125.69.81
Lines: 20
X-Original-NNTP-Posting-Host: 204.157.220.254
Path: nntp.stanford.edu!newsfeed.stanford.edu!cyclone.bc.net!newsfeed.direct.ca!look.ca!nntp.primenet.com!nntp.gblx.net!nntp-cust.primenet.com!huge.aa.net!206.125.69.81
Xref: nntp.stanford.edu comp.infosystems.www.authoring.cgi:91722

In article <slrn8p16hc.37f.efflandt@efflandt.xnet.com>, efflandt@xnet.com posted:

: Not to beat a dead horse, but if something like a shopping cart or bank or
: trading house needs secure authentication, they will use SSL
: (https://url).  This will use encrypted passwords and data transfer.

it won't use encrypted passwords unless you tell it to do so and
the browser supports that.  the only difference is that the same 
transaction happens over a secure channnel.

-- 
brian d foy                    
CGI Meta FAQ <URL:http://www.smithrenaud.com/public/CGI_MetaFAQ.html>
Perl Mongers <URL:http://www.perl.org/>
--
PLEASE NOTE: comp.infosystems.www.authoring.cgi is a
SELF-MODERATED newsgroup. aa.net and boutell.com are
NOT the originators of the articles and are NOT responsible
for their content. You can SELF-APPROVE your first posting
by writing the word 'passme' on a line by itself.

Path: nntp.stanford.edu!newsfeed.stanford.edu!headwall.stanford.edu!feeder.via.net!cyclone-sf.pbi.net!206.13.28.33!news.pacbell.net.POSTED!bigiain
From: bigiain@mightymedia.com.au (Iain Chalmers)
Newsgroups: comp.infosystems.www.authoring.cgi
Subject: Re: CGI for specific user only
Message-ID: <bigiain-0908001253530001@bigman.mighty.com.au>
References: <8mjhla$je0$1@newton.pacific.net.sg> <slrn8or0l2.sf7.efflandt@efflandt.xnet.com> <398ee78b.12921178@news.earthlink.net> <Pine.GHP.4.21.0008071934500.16865-100000@hpplus03.cern.ch> <brian-ya02408000R0708002024460001@news.panix.com> <399044e6.10893856@news.earthlink.net> <slrn8p16hc.37f.efflandt@efflandt.xnet.com>
Organization: Mighty Media
X-Newsreader: MT-NewsWatcher 2.4.4
Approved: mein Luftkissenfahrzeug ist voll von den Aalen
Lines: 14
Date: Wed, 09 Aug 2000 12:53:53 +1000
NNTP-Posting-Host: 61.8.7.114
X-Complaints-To: abuse@pacbell.net
X-Trace: news.pacbell.net 965789614 61.8.7.114 (Tue, 08 Aug 2000 19:53:34 PDT)
NNTP-Posting-Date: Tue, 08 Aug 2000 19:53:34 PDT
Xref: nntp.stanford.edu comp.infosystems.www.authoring.cgi:91725

In article <slrn8p16hc.37f.efflandt@efflandt.xnet.com>, efflandt@xnet.com wrote:

>You should never enter credit card info on any form that just uses a plain
>http://url, only if it uses https (with the 's').

This is correct, but possibly misleading - the html page with the form can
be served over an http connection. As long as the ACTION of the form is
using https, the data will travel over an encrypted connection - even if
the form is using the GET method (yes, unexpected (to me at least), but
true - even the request_uri is encrypted for a https connection)

cheers

Iain

From: jonceramic@nospammiesno.earthlink.net (Jon S.)
Subject: Re: CGI for specific user only
Reply-To: jonceramic@nospammiesno.earthlink.net (Jon S.)
Organization: EarthLink Inc. -- http://www.EarthLink.net
References: <8mjhla$je0$1@newton.pacific.net.sg> <slrn8or0l2.sf7.efflandt@efflandt.xnet.com> <398ee78b.12921178@news.earthlink.net> <Pine.GHP.4.21.0008071934500.16865-100000@hpplus03.cern.ch> <brian-ya02408000R0708002024460001@news.panix.com> <399044e6.10893856@news.earthlink.net> <slrn8p16hc.37f.efflandt@efflandt.xnet.com>
Message-ID: <399188ac.12312880@news.earthlink.net>
Newsgroups: comp.infosystems.www.authoring.cgi
Approved: Self-Moderation <authoring-cgi@boutell.com>
NNTP-Posting-Host: 206.125.69.81
Date: 9 Aug 2000 09:55:46 -0600
X-Trace: 9 Aug 2000 09:55:46 -0600, 206.125.69.81
Lines: 48
X-Original-NNTP-Posting-Host: 204.157.220.254
Path: nntp.stanford.edu!newsfeed.stanford.edu!logbridge.uoregon.edu!nntp.primenet.com!nntp.gblx.net!nntp-cust.primenet.com!huge.aa.net!206.125.69.81
Xref: nntp.stanford.edu comp.infosystems.www.authoring.cgi:91731

On 8 Aug 2000 16:40:11 -0600, efflandt@xnet.com (David Efflandt)
wrote:

:On 8 Aug 2000, Jon S. <jonceramic@nospammiesno.earthlink.net> wrote:
::But, I think I see this kind of authentication a lot.  So, I'm
::wondering how big of a threat this is.  One of the online trading
::services my inlaws use has this kind of authentication, AFAIK.  And,
::if you can just snif out the response, aren't you asking for trouble?
::Especially if you use DSL or a cable modem?  Is this issue something
::to worry about?  It sounds to me like it sure could be.  However, if
::someone's sniffing to get this username and password, wouldn't they
::also get the password I submit via a CGI form?
:
:Not to beat a dead horse, but if something like a shopping cart or bank or
:trading house needs secure authentication, they will use SSL
:(https://url).  This will use encrypted passwords and data transfer.  You
:should never enter credit card info on any form that just uses a plain
:http://url, only if it uses https (with the 's').

Just try to log into the datek.com investment site.  It looks all the
world to me like an unencrypted user authentication request.

:If I do something myself that needs to be secure, like a webshell.cgi that
:runs as me, I will use both, some form of authentication and checking my
:source IP (I have static PPP IP).  The only time that was a problem was
:when a router on the internet was caching everything, and requests
:appeared to come from them.  But we put a stop to that because they have
:no justification for caching CGI and other no-cache data.

Thanks David.  What you've said makes a lot of sense.  If I wasn't
already completely indebted to Stein for his books, FAQ's, and CGI.pm,
I write him and ask him to expand his security FAQ with your posts on
this.  I mean, the FAQ covers it all, but for newbies who are just
using a webhoster (there's got to be millions of us by now), it's
tough to figure out a course of action by reading it.  Of course, the
second he wrote a "here's how to be safe" list, he'd get sued the
second someone got hacked even though they did it all as listed.  So,
maybe not.

Now I know what to aim for.  Thanks again everyone.

Jon
--
PLEASE NOTE: comp.infosystems.www.authoring.cgi is a
SELF-MODERATED newsgroup. aa.net and boutell.com are
NOT the originators of the articles and are NOT responsible
for their content. You can SELF-APPROVE your first posting
by writing the word 'passme' on a line by itself.

From: brian@smithrenaud.com (brian d foy)
Subject: Re: CGI for specific user only
Reply-To: brian@smithrenaud.com (brian d foy)
Organization: PANIX Public Access Internet and UNIX, NYC
References: <8mjhla$je0$1@newton.pacific.net.sg> <slrn8or0l2.sf7.efflandt@efflandt.xnet.com> <398ee78b.12921178@news.earthlink.net> <Pine.GHP.4.21.0008071934500.16865-100000@hpplus03.cern.ch> <brian-ya02408000R0708002024460001@news.panix.com> <399044e6.10893856@news.earthlink.net> <slrn8p16hc.37f.efflandt@efflandt.xnet.com> <bigiain-0908001253530001@bigman.mighty.com.au>
Message-ID: <brian-ya02408000R0908001015550001@news.panix.com>
Newsgroups: comp.infosystems.www.authoring.cgi
Approved: Self-Moderation <authoring-cgi@boutell.com>
NNTP-Posting-Host: 206.125.69.81
Date: 9 Aug 2000 14:02:24 -0600
X-Trace: 9 Aug 2000 14:02:24 -0600, 206.125.69.81
Lines: 26
X-Original-NNTP-Posting-Host: 204.157.220.254
Path: nntp.stanford.edu!newsfeed.stanford.edu!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!newsfeed.cwix.com!natasha.rmii.com!nntp-cust.primenet.com!huge.aa.net!206.125.69.81
Xref: nntp.stanford.edu comp.infosystems.www.authoring.cgi:91743

In article <bigiain-0908001253530001@bigman.mighty.com.au>, bigiain@mightymedia.com.au (Iain Chalmers) posted:

: This is correct, but possibly misleading - the html page with the form can
: be served over an http connection. As long as the ACTION of the form is
: using https, the data will travel over an encrypted connection - even if
: the form is using the GET method (yes, unexpected (to me at least), but
: true - even the request_uri is encrypted for a https connection)

why is that unexpected?  the entire transaction uses the secure
channel.

the problem with GET is that form information shows up in the 
URI which is leaky.  it will show up in server logs and referer
strings which may not travel over secure channels, or be stored 
securely.

-- 
brian d foy                    
CGI Meta FAQ <URL:http://www.smithrenaud.com/public/CGI_MetaFAQ.html>
Perl Mongers <URL:http://www.perl.org/>
--
PLEASE NOTE: comp.infosystems.www.authoring.cgi is a
SELF-MODERATED newsgroup. aa.net and boutell.com are
NOT the originators of the articles and are NOT responsible
for their content. You can SELF-APPROVE your first posting
by writing the word 'passme' on a line by itself.

Path: nntp.stanford.edu!newsfeed.stanford.edu!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!newsfeed.mathworks.com!cyclone.swbell.net!cyclone-sf.pbi.net!206.13.28.144!news.pacbell.net.POSTED!bigiain
From: bigiain@mightymedia.com.au (Iain Chalmers)
Newsgroups: comp.infosystems.www.authoring.cgi
Subject: Re: CGI for specific user only
Message-ID: <bigiain-1008001246120001@bigman.mighty.com.au>
References: <8mjhla$je0$1@newton.pacific.net.sg> <slrn8or0l2.sf7.efflandt@efflandt.xnet.com> <398ee78b.12921178@news.earthlink.net> <Pine.GHP.4.21.0008071934500.16865-100000@hpplus03.cern.ch> <brian-ya02408000R0708002024460001@news.panix.com> <399044e6.10893856@news.earthlink.net> <slrn8p16hc.37f.efflandt@efflandt.xnet.com> <bigiain-0908001253530001@bigman.mighty.com.au> <brian-ya02408000R0908001015550001@news.panix.com>
Organization: Mighty Media
X-Newsreader: MT-NewsWatcher 2.4.4
Approved: mein Luftkissenfahrzeug ist voll von den Aalen
Lines: 28
Date: Thu, 10 Aug 2000 12:46:12 +1000
NNTP-Posting-Host: 61.8.7.114
X-Complaints-To: abuse@pacbell.net
X-Trace: news.pacbell.net 965875549 61.8.7.114 (Wed, 09 Aug 2000 19:45:49 PDT)
NNTP-Posting-Date: Wed, 09 Aug 2000 19:45:49 PDT
Xref: nntp.stanford.edu comp.infosystems.www.authoring.cgi:91750

In article <brian-ya02408000R0908001015550001@news.panix.com>,
brian@smithrenaud.com (brian d foy) wrote:

>In article <bigiain-0908001253530001@bigman.mighty.com.au>,
bigiain@mightymedia.com.au (Iain Chalmers) posted:
>
>: This is correct, but possibly misleading - the html page with the form can
>: be served over an http connection. As long as the ACTION of the form is
>: using https, the data will travel over an encrypted connection - even if
>: the form is using the GET method (yes, unexpected (to me at least), but
>: true - even the request_uri is encrypted for a https connection)
>
>why is that unexpected?  the entire transaction uses the secure
>channel.

<GRIN> Well, like I said, it was unexpected to me :-) 

For some reason, I made the (incorrect) assumption that because _I_ could
see the form data from a GET request in the location bar on my browser,
that  the URI was going to the server in cleartext. 

By the time somebody corrected me for sprouting my unwarranted assumptions
in public, I was _so_ convinced of what I "knew" that I had to resort to
packet sniffing before I'd change my mind...

Stubborn bastard, aren't I???

big

From: "Alan J. Flavell" <flavell@mail.cern.ch>
Subject: Re: CGI for specific user only
Reply-To: "Alan J. Flavell" <flavell@mail.cern.ch>
Organization: Knights of the Round Tuit
References: <8mjhla$je0$1@newton.pacific.net.sg> <slrn8or0l2.sf7.efflandt@efflandt.xnet.com> <398ee78b.12921178@news.earthlink.net> <Pine.GHP.4.21.0008071934500.16865-100000@hpplus03.cern.ch> <brian-ya02408000R0708002024460001@news.panix.com> <399044e6.10893856@news.earthlink.net>
Message-ID: <Pine.GHP.4.21.0008082120180.1369-100000@hpplus03.cern.ch>
Newsgroups: comp.infosystems.www.authoring.cgi
Approved: Self-Moderation <authoring-cgi@boutell.com>
NNTP-Posting-Host: 206.125.69.81
Date: 12 Aug 2000 05:17:33 -0600
X-Trace: 12 Aug 2000 05:17:33 -0600, 206.125.69.81
Lines: 84
X-Original-NNTP-Posting-Host: 204.157.220.254
Path: nntp.stanford.edu!newsfeed.stanford.edu!cyclone.bc.net!newsfeed.direct.ca!look.ca!nntp.primenet.com!nntp.gblx.net!nntp-cust.primenet.com!huge.aa.net!206.125.69.81
Xref: nntp.stanford.edu comp.infosystems.www.authoring.cgi:91787


[a belated followup that will basically only confirm what others have
said...]

On 8 Aug 2000, Jon S. wrote:

[..]
: through the password file and .htaccess.  The original page I found
: months ago at http://hoohoo.ncsa.uiuc.edu/docs/tutorials/user.html
: says that because the password can be sent as "Basic HTTP
: Authentication" which is uuencoded and can be snagged by anyone with a
: packet sniffer.  This is what Alan mentioned, right?

Correct.  However, it's about the only method that's widely supported
by browsers.  If you want to protect that authentication method
against network sniffing, then you'd need to run it over HTTPS
(SSL-encrypted HTTP) rather than plain HTTP.

: But, I think I see this kind of authentication a lot. 

Yup.

:  However, if
: someone's sniffing to get this username and password, wouldn't they
: also get the password I submit via a CGI form?

Sure.  I don't recommend knitting your own security checks, but if you
do, then you gotta be more resourceful than that, e.g sending the
browser some executable code (I guess java or javascript could do it)
that encrypts the user input using some kind of salt sent by the
server, before sending it over the net to the server.  That way,
someone who sniffed the transaction and tried to use it again would
get sent a different salt and would fail the new challenge.

But as I say, I do NOT recommend knitting your own.  Security is too
important to be taken on by amateurs like you and me, and "security by
obscurity" is ultimately a dead-end: once the secret is out, you have
to start again.  The only good security is one with a widely known and
documented and peer-reviewed technique, that has been designed to be
inherently secure.  Otherwise it's little better than 'hiding' the key
under the doormat.

: Reading through those, I did find the link to
: http://www.apache.org/docs-1.2/mod/core.html which shows lots of the
: function names in the tutorials I've read. 

I was going to recommend the tutorials at apacheweek, but I see that
you've found them already.  Good.

: *Care must be taken to ensure that the resource is restricted against
: all methods. Use of <Limit GET>, for instance, leaves POST and other
: request methods unprotected. 

Absolutely.   Read recent Apache documentation carefully again on that
point (the wording has been carefully hammered out in an attempt to 
explain this widely-misunderstood feature).

: *The username and password are stored in a plain text file. While the
: password is encrypted, it is not completely safe against decryption,
: so the file should not be accessible to other users on the system.

Yup, that's what I meant about "cracking" it.

: The Digest Authentication scheme will make the sending of passwords
: across the Internet more secure. 

As far as I'm aware, this hasn't gotten widely implemented.  But maybe
I just haven't been watching hard enough.  Sorry: when I don't really
know the answer, I think it's safer to be honest than to try to bluff
my way through...  perhaps someone else knows what the client
implementation status is?

cheers





--
PLEASE NOTE: comp.infosystems.www.authoring.cgi is a
SELF-MODERATED newsgroup. aa.net and boutell.com are
NOT the originators of the articles and are NOT responsible
for their content. You can SELF-APPROVE your first posting
by writing the word 'passme' on a line by itself.

From: jonceramic@nospammiesno.earthlink.net (Jon S.)
Subject: Re: CGI for specific user only
Reply-To: jonceramic@nospammiesno.earthlink.net (Jon S.)
Organization: EarthLink Inc. -- http://www.EarthLink.net
References: <8mjhla$je0$1@newton.pacific.net.sg> <slrn8or0l2.sf7.efflandt@efflandt.xnet.com> <398ee78b.12921178@news.earthlink.net> <Pine.GHP.4.21.0008071934500.16865-100000@hpplus03.cern.ch> <brian-ya02408000R0708002024460001@news.panix.com> <399044e6.10893856@news.earthlink.net> <Pine.GHP.4.21.0008082120180.1369-100000@hpplus03.cern.ch>
Message-ID: <3997f9ea.2106426@news.earthlink.net>
Newsgroups: comp.infosystems.www.authoring.cgi
Approved: Self-Moderation <authoring-cgi@boutell.com>
NNTP-Posting-Host: 206.125.69.81
Date: 14 Aug 2000 07:21:16 -0600
X-Trace: 14 Aug 2000 07:21:16 -0600, 206.125.69.81
Lines: 38
X-Original-NNTP-Posting-Host: 204.157.220.254
Path: nntp.stanford.edu!newsfeed.stanford.edu!cyclone.bc.net!newsfeed.direct.ca!look.ca!nntp.primenet.com!nntp.gblx.net!nntp-cust.primenet.com!huge.aa.net!206.125.69.81
Xref: nntp.stanford.edu comp.infosystems.www.authoring.cgi:91827

On 12 Aug 2000 05:17:33 -0600, "Alan J. Flavell"
<flavell@mail.cern.ch> wrote:
:[a belated followup that will basically only confirm what others have
:said...]

Thanks Alan, I just have one more question, you said...

:But as I say, I do NOT recommend knitting your own.  Security is too
:important to be taken on by amateurs like you and me, and "security by
:obscurity" is ultimately a dead-end: once the secret is out, you have
:to start again.  The only good security is one with a widely known and
:documented and peer-reviewed technique, that has been designed to be
:inherently secure.  Otherwise it's little better than 'hiding' the key
:under the doormat.

Okay, so this sounds nearly like a paradox though.  I mean, there
doesn't seem to be much out there for a new other than an ht password
file in a safe place on your directory and doing a secondary quick
"password" field in a form passed via https.

For newbies, does it all boil down to just those two techniques
combined?

To add complication, to get https via my lowend webhosting package, I
have to use a completely separate server which looks really lousy and
hoses my image generation scheme.  (It's a URL from hell on a
completely different server farm.)  Oh well, for administration
scripts, I guess it's not such a big deal.

Thanks again everyone,

Jon
--
PLEASE NOTE: comp.infosystems.www.authoring.cgi is a
SELF-MODERATED newsgroup. aa.net and boutell.com are
NOT the originators of the articles and are NOT responsible
for their content. You can SELF-APPROVE your first posting
by writing the word 'passme' on a line by itself.

From: brian@smithrenaud.com (brian d foy)
Subject: Re: CGI for specific user only
Reply-To: brian@smithrenaud.com (brian d foy)
Organization: PANIX Public Access Internet and UNIX, NYC
References: <8mjhla$je0$1@newton.pacific.net.sg> <slrn8or0l2.sf7.efflandt@efflandt.xnet.com> <398ee78b.12921178@news.earthlink.net> <Pine.GHP.4.21.0008071934500.16865-100000@hpplus03.cern.ch> <brian-ya02408000R0708002024460001@news.panix.com> <399044e6.10893856@news.earthlink.net> <Pine.GHP.4.21.0008082120180.1369-100000@hpplus03.cern.ch> <3997f9ea.2106426@news.earthlink.net>
Message-ID: <brian-ya02408000R1408001418210001@news.panix.com>
Newsgroups: comp.infosystems.www.authoring.cgi
Approved: Self-Moderation <authoring-cgi@boutell.com>
NNTP-Posting-Host: 206.125.69.81
Date: 14 Aug 2000 11:19:20 -0600
X-Trace: 14 Aug 2000 11:19:20 -0600, 206.125.69.81
Lines: 26
X-Original-NNTP-Posting-Host: 204.157.220.254
Path: nntp.stanford.edu!newsfeed.stanford.edu!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!newspeer1.nac.net!newsfeed.nwlink.com!huge.aa.net!206.125.69.81
Xref: nntp.stanford.edu comp.infosystems.www.authoring.cgi:91835

In article <3997f9ea.2106426@news.earthlink.net>, jonceramic@nospammiesno.earthlink.net (Jon S.) posted:

: Okay, so this sounds nearly like a paradox though.  I mean, there
: doesn't seem to be much out there for a new other than an ht password
: file in a safe place on your directory and doing a secondary quick
: "password" field in a form passed via https.

you are more limited by the user-agent's features than you are by
the servers.

: To add complication, to get https via my lowend webhosting package, I
: have to use a completely separate server which looks really lousy and
: hoses my image generation scheme.

that sounds like a business problem rather than a technology problem.

-- 
brian d foy                    
CGI Meta FAQ <URL:http://www.smithrenaud.com/public/CGI_MetaFAQ.html>
Perl Mongers <URL:http://www.perl.org/>
--
PLEASE NOTE: comp.infosystems.www.authoring.cgi is a
SELF-MODERATED newsgroup. aa.net and boutell.com are
NOT the originators of the articles and are NOT responsible
for their content. You can SELF-APPROVE your first posting
by writing the word 'passme' on a line by itself.

From: Michael Wines <u199909@purethought.com>
Subject: Re: CGI for specific user only
Reply-To: Michael Wines <u199909@purethought.com>
Organization: Pure Thought
References: <8mjhla$je0$1@newton.pacific.net.sg> <slrn8or0l2.sf7.efflandt@efflandt.xnet.com> <398ee78b.12921178@news.earthlink.net> <Pine.GHP.4.21.0008071934500.16865-100000@hpplus03.cern.ch> <brian-ya02408000R0708002024460001@news.panix.com> <399044e6.10893856@news.earthlink.net> <Pine.GHP.4.21.0008082120180.1369-100000@hpplus03.cern.ch> <3997f9ea.2106426@news.earthlink.net>
Message-ID: <3999263E.795E3FDF@purethought.com>
Newsgroups: comp.infosystems.www.authoring.cgi
Approved: Self-Moderation <authoring-cgi@boutell.com>
NNTP-Posting-Host: 206.125.69.81
Date: 15 Aug 2000 04:12:41 -0600
X-Trace: 15 Aug 2000 04:12:41 -0600, 206.125.69.81
Lines: 39
X-Original-NNTP-Posting-Host: 204.157.220.254
Path: nntp.stanford.edu!newsfeed.stanford.edu!logbridge.uoregon.edu!nntp.primenet.com!nntp.gblx.net!nntp-cust.primenet.com!huge.aa.net!206.125.69.81
Xref: nntp.stanford.edu comp.infosystems.www.authoring.cgi:91862

"Jon S." wrote:
: 
: On 12 Aug 2000 05:17:33 -0600, "Alan J. Flavell"
: <flavell@mail.cern.ch> wrote:
: :[a belated followup that will basically only confirm what others have
: :said...]
: 
: Thanks Alan, I just have one more question, you said...
: 
: :But as I say, I do NOT recommend knitting your own.  Security is too
: :important to be taken on by amateurs like you and me, and "security by
: :obscurity" is ultimately a dead-end: once the secret is out, you have
: :to start again.  The only good security is one with a widely known and
: :documented and peer-reviewed technique, that has been designed to be
: :inherently secure.  Otherwise it's little better than 'hiding' the key
: :under the doormat.
: 
: Okay, so this sounds nearly like a paradox though.  I mean, there
: doesn't seem to be much out there for a new other than an ht password
: file in a safe place on your directory

: and doing a secondary quick
: "password" field in a form passed via https.

Don't do that. https will encrypt the Basic Authentication credentials
(what you call htpassword), so there is no need to have a password
field in a form.


: For newbies, does it all boil down to just those two techniques
: combined?

It works.
--
PLEASE NOTE: comp.infosystems.www.authoring.cgi is a
SELF-MODERATED newsgroup. aa.net and boutell.com are
NOT the originators of the articles and are NOT responsible
for their content. You can SELF-APPROVE your first posting
by writing the word 'passme' on a line by itself.

From: jonceramic@nospammiesno.earthlink.net (Jon S.)
Subject: Re: CGI for specific user only
Reply-To: jonceramic@nospammiesno.earthlink.net (Jon S.)
Organization: EarthLink Inc. -- http://www.EarthLink.net
References: <8mjhla$je0$1@newton.pacific.net.sg> <slrn8or0l2.sf7.efflandt@efflandt.xnet.com> <398ee78b.12921178@news.earthlink.net> <Pine.GHP.4.21.0008071934500.16865-100000@hpplus03.cern.ch> <brian-ya02408000R0708002024460001@news.panix.com> <399044e6.10893856@news.earthlink.net> <Pine.GHP.4.21.0008082120180.1369-100000@hpplus03.cern.ch> <3997f9ea.2106426@news.earthlink.net> <brian-ya02408000R1408001418210001@news.panix.com>
Message-ID: <39995522.4909141@news.earthlink.net>
Newsgroups: comp.infosystems.www.authoring.cgi
Approved: Self-Moderation <authoring-cgi@boutell.com>
NNTP-Posting-Host: 206.125.69.81
Date: 15 Aug 2000 07:39:10 -0600
X-Trace: 15 Aug 2000 07:39:10 -0600, 206.125.69.81
Lines: 30
X-Original-NNTP-Posting-Host: 204.157.220.254
Path: nntp.stanford.edu!newsfeed.stanford.edu!logbridge.uoregon.edu!newsfeed.direct.ca!look.ca!nntp.primenet.com!nntp.gblx.net!nntp-cust.primenet.com!huge.aa.net!206.125.69.81
Xref: nntp.stanford.edu comp.infosystems.www.authoring.cgi:91864

On 14 Aug 2000 11:19:20 -0600, brian@smithrenaud.com (brian d foy)
wrote:

:In article <3997f9ea.2106426@news.earthlink.net>, jonceramic@nospammiesno.earthlink.net (Jon S.) posted:
:
:: Okay, so this sounds nearly like a paradox though.  I mean, there
:: doesn't seem to be much out there for a new other than an ht password
:: file in a safe place on your directory and doing a secondary quick
:: "password" field in a form passed via https.
:
:you are more limited by the user-agent's features than you are by
:the servers.

got it.

:: To add complication, to get https via my lowend webhosting package, I
:: have to use a completely separate server which looks really lousy and
:: hoses my image generation scheme.
:
:that sounds like a business problem rather than a technology problem.

Certainly is.  But, I'm living with it...

Jon
--
PLEASE NOTE: comp.infosystems.www.authoring.cgi is a
SELF-MODERATED newsgroup. aa.net and boutell.com are
NOT the originators of the articles and are NOT responsible
for their content. You can SELF-APPROVE your first posting
by writing the word 'passme' on a line by itself.

From: jonceramic@nospammiesno.earthlink.net (Jon S.)
Subject: Re: CGI for specific user only
Reply-To: jonceramic@nospammiesno.earthlink.net (Jon S.)
Organization: EarthLink Inc. -- http://www.EarthLink.net
References: <8mjhla$je0$1@newton.pacific.net.sg> <slrn8or0l2.sf7.efflandt@efflandt.xnet.com> <398ee78b.12921178@news.earthlink.net> <Pine.GHP.4.21.0008071934500.16865-100000@hpplus03.cern.ch> <brian-ya02408000R0708002024460001@news.panix.com> <399044e6.10893856@news.earthlink.net> <Pine.GHP.4.21.0008082120180.1369-100000@hpplus03.cern.ch> <3997f9ea.2106426@news.earthlink.net> <3999263E.795E3FDF@purethought.com>
Message-ID: <3999556b.4982233@news.earthlink.net>
Newsgroups: comp.infosystems.www.authoring.cgi
Approved: Self-Moderation <authoring-cgi@boutell.com>
NNTP-Posting-Host: 206.125.69.81
Date: 15 Aug 2000 07:42:39 -0600
X-Trace: 15 Aug 2000 07:42:39 -0600, 206.125.69.81
Lines: 53
X-Original-NNTP-Posting-Host: 204.157.220.254
Path: nntp.stanford.edu!newsfeed.stanford.edu!headwall.stanford.edu!feeder.via.net!news.he.net!nntp.primenet.com!nntp.gblx.net!nntp-cust.primenet.com!huge.aa.net!206.125.69.81
Xref: nntp.stanford.edu comp.infosystems.www.authoring.cgi:91865

On 15 Aug 2000 04:12:41 -0600, Michael Wines <u199909@purethought.com>
wrote:

:"Jon S." wrote:
:: 
:: On 12 Aug 2000 05:17:33 -0600, "Alan J. Flavell"
:: <flavell@mail.cern.ch> wrote:
:: :[a belated followup that will basically only confirm what others have
:: :said...]
:: 
:: Thanks Alan, I just have one more question, you said...
:: 
:: :But as I say, I do NOT recommend knitting your own.  Security is too
:: :important to be taken on by amateurs like you and me, and "security by
:: :obscurity" is ultimately a dead-end: once the secret is out, you have
:: :to start again.  The only good security is one with a widely known and
:: :documented and peer-reviewed technique, that has been designed to be
:: :inherently secure.  Otherwise it's little better than 'hiding' the key
:: :under the doormat.
:: 
:: Okay, so this sounds nearly like a paradox though.  I mean, there
:: doesn't seem to be much out there for a new other than an ht password
:: file in a safe place on your directory
:
:: and doing a secondary quick
:: "password" field in a form passed via https.
:
:Don't do that. https will encrypt the Basic Authentication credentials
:(what you call htpassword), so there is no need to have a password
:field in a form.

Ok.  I think I understand.  To get this, I have to request the
password protected file with https, and once the request is set up,
the browser and server decide on the SSL, and everything until I break
that is encrypted?  That's all it takes?  The basic authentication
stays inside the https "wrapping"?

:: For newbies, does it all boil down to just those two techniques
:: combined?
:
:It works.

:)  Well, that's all I really need to know then.

Thanks again all,

Jon
--
PLEASE NOTE: comp.infosystems.www.authoring.cgi is a
SELF-MODERATED newsgroup. aa.net and boutell.com are
NOT the originators of the articles and are NOT responsible
for their content. You can SELF-APPROVE your first posting
by writing the word 'passme' on a line by itself.

From: brian@smithrenaud.com (brian d foy)
Subject: Re: CGI for specific user only
Reply-To: brian@smithrenaud.com (brian d foy)
Organization: PANIX Public Access Internet and UNIX, NYC
References: <8mjhla$je0$1@newton.pacific.net.sg> <slrn8or0l2.sf7.efflandt@efflandt.xnet.com> <398ee78b.12921178@news.earthlink.net> <Pine.GHP.4.21.0008071934500.16865-100000@hpplus03.cern.ch> <brian-ya02408000R0708002024460001@news.panix.com> <399044e6.10893856@news.earthlink.net> <Pine.GHP.4.21.0008082120180.1369-100000@hpplus03.cern.ch> <3997f9ea.2106426@news.earthlink.net> <3999263E.795E3FDF@purethought.com>
Message-ID: <brian-ya02408000R1508001550030001@news.panix.com>
Newsgroups: comp.infosystems.www.authoring.cgi
Approved: Self-Moderation <authoring-cgi@boutell.com>
NNTP-Posting-Host: 206.125.69.81
Date: 15 Aug 2000 12:50:37 -0600
X-Trace: 15 Aug 2000 12:50:37 -0600, 206.125.69.81
Lines: 19
X-Original-NNTP-Posting-Host: 204.157.220.254
Path: nntp.stanford.edu!newsfeed.stanford.edu!bloom-beacon.mit.edu!newsswitch.lcs.mit.edu!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!nntp.primenet.com!nntp.gblx.net!nntp-cust.primenet.com!huge.aa.net!206.125.69.81
Xref: nntp.stanford.edu comp.infosystems.www.authoring.cgi:91875

In article <3999263E.795E3FDF@purethought.com>, Michael Wines <u199909@purethought.com> posted:

: Don't do that. https will encrypt the Basic Authentication credentials
: (what you call htpassword), so there is no need to have a password
: field in a form.

the password HTML widget has nothing to do with encryption, so the
use of encryption does not deprecate it.

-- 
brian d foy                    
CGI Meta FAQ <URL:http://www.smithrenaud.com/public/CGI_MetaFAQ.html>
Perl Mongers <URL:http://www.perl.org/>
--
PLEASE NOTE: comp.infosystems.www.authoring.cgi is a
SELF-MODERATED newsgroup. aa.net and boutell.com are
NOT the originators of the articles and are NOT responsible
for their content. You can SELF-APPROVE your first posting
by writing the word 'passme' on a line by itself.


the rest of The Pile (a partial mailing list archive)

doom@kzsu.stanford.edu