From owner-freebsd-isp Mon Mar 13 22: 7:34 2000 Delivered-To: freebsd-isp@freebsd.org Received: from vampire.gothic.net.au (vampire.gothic.net.au [202.182.72.18]) by hub.freebsd.org (Postfix) with ESMTP id F069937B6EA for ; Mon, 13 Mar 2000 22:07:25 -0800 (PST) (envelope-from sean@gothic.net.au) Received: by vampire.gothic.net.au (Postfix, from userid 1000) id E1706A88B; Tue, 14 Mar 2000 17:07:04 +1100 (EST) Received: from localhost (localhost [127.0.0.1]) by vampire.gothic.net.au (Postfix) with ESMTP id AA35E3883; Tue, 14 Mar 2000 17:07:04 +1100 (EST) Date: Tue, 14 Mar 2000 17:07:04 +1100 (EST) From: Sean Winn To: Chris Cook Cc: Leif Neland , freebsd-isp@FreeBSD.ORG Subject: Re: Is passwords send to auth webpages secure? In-Reply-To: <38CDD173.EEB690BD@tcworks.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 13 Mar 2000, Chris Cook wrote: > Leif Neland wrote: > > > > > > Now I have been asked if the passwords from browser to squid is sent in > > cleartext, so it can be sniffed? > > I have tried sniffing passwords like this before as a test, and they > always showed up as scrambled (unreadable). I am assuming that my > browser (Netscape 4.6/FreeBSD) was using some sort of mild encryption to > send the username/login. More info on this would be neat, but you > should invest in some switches anyways. Hasto... Basic authentication is base-64 encoded, which isn't exactly difficult to descrypt. Effectively it's cleartext. NTLM authentication uses challenge/response, but squid doesn't support that (there were old patches for it available, but they were a work in progress, and not ready for real use); the only browsers/proxies I know of that support it are IE and MS-Proxy; I expect FrontPage when functioning as a web client would support it as well. > > -- > Chris > > o----< ccook@tcworks.net >----------------------------------------o > |Chris Cook - Technician | TCWORKS.NET - http://www.tcworks.net | > |The Computer Works | FreeBSD - http://www.freebsd.org | > o-----------------------------------------------------------------o > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > -- Sean Winn email: sean@gothic.net.au All opinions valued at $0.02, and not subject to inflation. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message