Frackin script kiddies!!

[Richard Pieri]

On Aug 3, 2010, at 4:31 PM, Jarod Wilson wrote:
> 
> Yeah, that would be what the http auth-digest part is for. So am I to
> understand correctly that your main opposition to this approach is
> that the auth happens *after* the encryption channel is established,
> rather than being a requirement to bring up the encryption channel?

Correct.  The encryption channel does nothing to prevent an attack against auth-digest.  All it does is prevent eavesdroppers from listening in and seeing your login/password pair.

> So am I to presume you never use online banking and never shop online then?

Orthogonal issue, or straw-man, take your pick.  Two-tier presences put a firewall between the front-end web server and the back-end application.  Three-tier presences put firewalls between the front-end web server, the application server, and the back-end database.  In both cases the firewalls only permit outbound connections; they block all inbound connections.  This ensures that when -- not if, when -- the public-facing servers are compromised they are still isolated from the internal network and cannot be used to launch further attacks inbound.

On the other hand, it seems that you have no walls between your MythTV web server and everything on your internal network.  Someone gets past auth-digest somehow and he has full access to everything on the inside.

Food for thought.

--Rich P.