[En-Nut-Discussion] Web page security?
Edwin van den Oetelaar
edwin at oetelaar.com
Mon Feb 20 20:17:08 CET 2006
Tim Tait wrote:
>
> I gave a couple of questions on security of the ethernut web
> authorization (as shown in the httpd sample app), as I am planning on
> using for some home automation tasks.
>
> - Are passwords encrypted on the wire?
No, not really, it looks like this on the wire : (Ethereal)
HTTP/1.1 401 Authorization Required
Date: Mon, 20 Feb 2006 18:24:40 GMT
Server: Apache/1.3.27 (Unix) mod_perl/1.27 PHP/4.3.6
Set-Cookie: ZDEDebuggerPresent=php,phtml,php3
Set-Cookie: PHPSESSID=f319d122615b46a84c596ff6aa6d2ec8; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
WWW-Authenticate: Basic realm="Welcome to DreamSolution Kiekie"
Keep-Alive: timeout=15, max=98
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
19
Error 401 - Access denied
0
-- this generates a login request on the client
-- the client responds with something like this
POST /handlers/formhandler.php HTTP/1.1
Host: Noneofyourbusiness.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1)
Gecko/20060124 Firefox/1.5.0.1
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: nl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://removedmyserveraddress.nl/HomePage/edit/1
Cookie: ZDEDebuggerPresent=php,phtml,php3;
ZDEDebuggerPresent=php,phtml,php3;
PHPSESSID=f319d122615b46a84c596ff6aa6d2ec8
Authorization: Basic ZWR3aW46b2V0ZWxhYXI=
Content-Type: multipart/form-data;
boundary=---------------------------8677702311271115801079909650
Content-Length: 3257
Take a look at the BASIC AUTHORIZATION : THIS IS BASE64 (look at auth.c
in pro directory)
> - If so by what means?
> - Are replay attacks possible?
>
Yes, If you don't want replay attacks you need a challenge/response
solution even if passwords were encrypted
> I read some stuff about TEA (Tiny Encryption Algorithm)
> <http://www.ftp.cl.cam.ac.uk/ftp/papers/djw-rmn/djw-rmn-tea.html>, has
> anybody used it with NutOs/NutNet to secure web pages or telnet?
>
I have not used it.
> Thanks-
>
> Tim
More information about the En-Nut-Discussion
mailing list