In my simplistic view, I see two issues --- sending your netid over the
campus network unencrypted, and then how it is handled on the site
itself... The as the site is asking for the netid to be sent
unencrypted, I have to be suspicious about the rest of the authentication...
-bash-3.00# curl --head http://site.with.questionable.auth/
HTTP/1.1 401 Authorization Required
Date: Wed, 09 Apr 2008 15:39:00 GMT
Server: Apache/2.0.55 (Unix) DAV/2 PHP/5.0.5
WWW-Authenticate: Basic realm="MSU NetID"
Content-Type: text/html; charset=iso-8859-1
I've emailed a person responsible for the site, but haven't gotten a
Matt Kolb wrote:
> On Apr 9, 2008, at 11:20 AM, Jeff Siarto wrote:
>> Sentinel authentication already uses ssl when the user is prompted for
>> an MSU NetID and password. If the app is using the service correctly,
>> it should take them to login.msu.edu (which is secure), authenticate
>> them and then send them back to the application with the proper
>> credentials. All this is done securely and it shouldn't matter if the
>> application itself is hosted under ssl. As far as I know, after the
>> initial authentication no other personal data is sent via insecure
>> methods. Are my assumptions wrong?
> Sentinel uses MSU's Kerberos KDC (afsdb0.cl.msu.edu, run by ATS staff)
> as it's actual authentication mechanism. I'm assuming what Tom is
> referring to is a site that uses either native kerberos or pam_imap or
> some other hackery to use a person's NetID and password to
> authenticate them. In almost all likelihood, sentinel has nothing to
> do with this.
> This being the case, the password is *handled* by the 3rd party
> application, which is exactly what I'm recommending avoiding.