Beefy Boxes and Bandwidth Generously Provided by pair Networks
We don't bite newbies here... much
 
PerlMonks  

Re^4: CGI MySQL insert/update special characters

by haukex (Archbishop)
on Mar 29, 2020 at 07:13 UTC ( [id://11114768]=note: print w/replies, xml ) Need Help??


in reply to Re^3: CGI MySQL insert/update special characters
in thread CGI MySQL insert/update special characters

Plaintext HTTP is safe on an isolated network

You make some good points, but I disagree with this bit, on principle. At the very least, one should use a scheme such as Digest access authentication. (And what network is really isolated anymore nowadays?)

  • Comment on Re^4: CGI MySQL insert/update special characters

Replies are listed 'Best First'.
Re^5: CGI MySQL insert/update special characters
by jcb (Parson) on Mar 30, 2020 at 01:19 UTC

    The problem with digest authentication is that it requires the server to store a plaintext password or password-equivalent and that leads to the server being a very attractive target for stealing the password list. (Windows networking has gone through several variants of this that all fall to "pass the hash" attacks. Then Microsoft started using Kerberos in Active Directory and screwed that up too, leading to the "golden ticket" and "silver ticket" attacks.)

    I consider the house embedded device LAN an isolated network, since it does not cross with Internet-connected segments except at dual-NIC hosts (all of which are considered "secure" and none of which are configured to bridge LANs or route traffic) that are on both networks, nor are there any wireless APs on it, nor does it leave the building. Embedded devices often have really bad security anyway; I have worked with one embedded network stack that (unless I missed something in the code) used a 32-bit entropy variable for everything — including SSL session keys.

[reply]
      The problem with digest authentication is that it requires the server to store a plaintext password or password-equivalent

      Yes, good point as well. (I did say "at the very least" - but I should have made it clear that more advanced schemes would be much better.)

      I consider the house embedded device LAN an isolated network ... Embedded devices often have really bad security anyway

      Taking this point together with the above, I'm confused about the message, whether plaintext passwords are okay or not. When an embedded or proprietary device has limitations, then one might not be able to do anything about its security, sure. But anything else, personally I like to play it safe. And when it comes to recommendations to others, personally I'd very much avoid saying that plaintext passwords are okay (when they can be avoided, as in the context of this thread) - that's all I was trying to say.

[reply]
        I'm confused about the message, whether plaintext passwords are okay or not.

        Then I will be more clear: plaintext passwords are NEVER acceptable across the open Internet.

        (And some embedded devices have "SSL" that is little better than plaintext anyway — if the RNG has only a 32-bit state variable, then 32 bits is probably the effective strength of the session key!)

[reply]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://11114768]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others having an uproarious good time at the Monastery: (7)
As of 2024-04-18 08:42 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found