Author Topic: Secure Alt.Binz login authentication  (Read 3517 times)

Offline argv[0]

  • Contributor
  • ***
  • Posts: 19
Secure Alt.Binz login authentication
« on: July 25, 2010, 07:01:38 pm »
I have been using Tor as my HTTP proxy for searching and it works great, but nothing prevents the Alt.Binz authentication from being sniffed at the exit node.

I am able to sniff out the x-www-form-urlencoded request used for authentication. The username is sent in plain text, and the password, while hashed, stays the same every time. I am concerned that this could lead to a compromise.

I'd like to suggest a secure authentication system. Thank you for Alt.Binz!

Offline Hecks

  • Contributor
  • ***
  • Posts: 2011
  • naughty cop
Re: Secure Alt.Binz login authentication
« Reply #1 on: July 25, 2010, 09:02:26 pm »
What kind of compromise do you have in mind?

Offline argv[0]

  • Contributor
  • ***
  • Posts: 19
Re: Secure Alt.Binz login authentication
« Reply #2 on: July 25, 2010, 09:55:25 pm »
A compromise would depend on how the authentication server would handle a duplicated request. I don't want to experiment with that myself; I have no wish to be banned. I'd imagine that it would be possible to trigger the authentication protection mechanism, at the very least.

I thought it would be worth bringing up this concern for consideration.

Offline Hecks

  • Contributor
  • ***
  • Posts: 2011
  • naughty cop
Re: Secure Alt.Binz login authentication
« Reply #3 on: July 26, 2010, 12:45:29 am »
Hmm, yes that would be unfortunate.

The username at least should be hashed, after that we're talking about exchanging nonces and the rest, probably something like digest access authenticaton so that the values are different each attempt.

It depends really on what the Kraken thinks about how the authentication system might be affected by replay attacks, if at all.

Offline argv[0]

  • Contributor
  • ***
  • Posts: 19
Re: Secure Alt.Binz login authentication
« Reply #4 on: July 26, 2010, 01:37:55 am »
Agreed. I know just enough on the subject to express caution.

I do understand that such attempts are not likely to be made, though using a proxy such as Tor greatly increases the interest of traffic passed through the exit nodes.