The other problem, of course, is that the same password probably authenticates to many other things in your environment, especially if we’re talking about Microsoft Exchange, because that password is definitely my Active Directory password, which I also use to authenticate to every other service in the environment in most cases. …and you send it along with the HTTP request and jolly well hope that it’s using TLS and that it’s encrypted, because your password is actually in the request every time.Īnd that’s problematic for all kinds of reasons, not to mention, like you say, that if somebody is able to decrypt the traffic then they in essence have access to your password. And, literally, you just take the username, then put a colon (so you’d better not have a colon in your username), then you put your actual password, then you base64 it… There’s a lot of complexity, but a lot of benefits that come along with that.Īnd so if we’re looking at HTTP Authentication, all we’re really talking about is asking you to present a credential ,which is, for most of us, a username and password in order to gain access to something.ĭUCK. Well, I like the word Modern, despite the fact that the RFC that we’re discussing is now ten years old… doesn’t feel incredibly modern! īut compared to HTTP Authentication, which was invented in the 1990s in the early browser days, I guess it *does* feel modern in comparison.Īs you say, in OAuth, the “Auth” is not authentication, rather it’s authorization. So, run us through what this change is all about, and why it is important.ĬHET. So I figured, “What better confluence of issues than that?”Įxchange Online is finally forcing people to switch from what Microsoft referred to as Basic Auth to a thing called Modern Auth. …and because it involves a thing called OAuth 2, which I know that you are well-informed about, and keen on. Now, I chose this topic because it just happened to coincide, inadvertently if you like, with the ProxyNotShell/ExchangeDoubleZeroDay problem that Microsoft ran into at the beginning of October 2022… I’m Paul Ducklin, joined as usual by my friend and colleague Chester Wisniewski from Vancouver.ĭUCK. Welcome to another Naked Security Podcast minisode!
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |