 |
 |
In my simplistic view, I see two issues --- sending your netid over the campus network unencrypted, and then how it is handled on the site itself... The as the site is asking for the netid to be sent unencrypted, I have to be suspicious about the rest of the authentication... -bash-3.00# curl --head http://site.with.questionable.auth/ HTTP/1.1 401 Authorization Required Date: Wed, 09 Apr 2008 15:39:00 GMT Server: Apache/2.0.55 (Unix) DAV/2 PHP/5.0.5 WWW-Authenticate: Basic realm="MSU NetID" Content-Type: text/html; charset=iso-8859-1 I've emailed a person responsible for the site, but haven't gotten a response yet. -Tom Matt Kolb wrote: > On Apr 9, 2008, at 11:20 AM, Jeff Siarto wrote: >> Sentinel authentication already uses ssl when the user is prompted for >> an MSU NetID and password. If the app is using the service correctly, >> it should take them to login.msu.edu (which is secure), authenticate >> them and then send them back to the application with the proper >> credentials. All this is done securely and it shouldn't matter if the >> application itself is hosted under ssl. As far as I know, after the >> initial authentication no other personal data is sent via insecure >> methods. Are my assumptions wrong? > > > Sentinel uses MSU's Kerberos KDC (afsdb0.cl.msu.edu, run by ATS staff) > as it's actual authentication mechanism. I'm assuming what Tom is > referring to is a site that uses either native kerberos or pam_imap or > some other hackery to use a person's NetID and password to > authenticate them. In almost all likelihood, sentinel has nothing to > do with this. > > This being the case, the password is *handled* by the 3rd party > application, which is exactly what I'm recommending avoiding. > > ./mk