Alt.Binz forum
New Alt.Binz versions => Requests => Topic started by: argv[0] on July 25, 2010, 07:01:38 pm
-
I have been using Tor as my HTTP proxy for searching and it works great, but nothing prevents the Alt.Binz authentication from being sniffed at the exit node.
I am able to sniff out the x-www-form-urlencoded request used for authentication. The username is sent in plain text, and the password, while hashed, stays the same every time. I am concerned that this could lead to a compromise.
I'd like to suggest a secure authentication system. Thank you for Alt.Binz!
-
What kind of compromise do you have in mind?
-
A compromise would depend on how the authentication server would handle a duplicated request. I don't want to experiment with that myself; I have no wish to be banned. I'd imagine that it would be possible to trigger the authentication protection mechanism, at the very least.
I thought it would be worth bringing up this concern for consideration.
-
Hmm, yes that would be unfortunate.
The username at least should be hashed, after that we're talking about exchanging nonces and the rest, probably something like digest access authenticaton so that the values are different each attempt.
It depends really on what the Kraken thinks about how the authentication system might be affected by replay attacks, if at all.
-
Agreed. I know just enough on the subject to express caution.
I do understand that such attempts are not likely to be made, though using a proxy such as Tor greatly increases the interest of traffic passed through the exit nodes.