[16619] in bugtraq
Re: Intacct.com: Multiple bugs at financial services company
daemon@ATHENA.MIT.EDU (Aaron Bentley)
Wed Sep 6 19:57:55 2000
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.10.10009061312410.18445-100000@megaserver.localdomain>
Date: Wed, 6 Sep 2000 13:23:43 -0400
Reply-To: Aaron Bentley <abentley@PANORAMICFEEDBACK.COM>
From: Aaron Bentley <abentley@PANORAMICFEEDBACK.COM>
X-To: "Chris L. Mason" <cmason@UNIXZONE.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000906074800.A10422@unixzone.com>
On Wed, 6 Sep 2000, Chris L. Mason wrote:
> I think there's a solution to this "problem" that is far too often
> overlooked. More sites simply need to start using HTTP Basic
> Access Authentication. This is the mechanism that causes those a "pop-up"
> box to appear where the user must enter their username and password.
Hi,
We use Basic Authenication on our site. Here's some extra comments:
1. If you ask it to, Internet Explorer will cache the password indefinitely
2. The username is cached. It's very tricky to allow users to change their
username without restarting their browser
3. Proxy servers can interfere with http authetication. When your web site
doesn't work, they'll blame you, not themselves.
4. It's harder to detect dictionary attacks on your web site, since http auth
is usually handled at the server level, not the CGI level.
Aaron
Aaron Bentley
Manager of Information Technology
PanoMetrics, Inc.
