FTR,
now I know what is meant by the docs.
"Basic" is referring to basic http auth. In this scheme, the web server
replies "401: Unauthorized" (authentication required) so the browser
asks for user/pass and forwards this data to the server piggybacked to
a retry for the original URL.
The browser keeps the credentials and adds them to all GETS/PUTS from
then on. You usually have to kill the browser to make it forget :)
Now, ASAs are using this scheme to authenticate instead of the old
(ugly ?) http screen by default, and as a side effect, the browsers
will "broadcast" the basic credentials to any site an authorized browser
will navigate afterwards. Not good.
You can go back "ugly" but safe by using redirect...
Sorry for the noise,
-Carlos
Carlos G Mendioroz @ 15/4/2009 9:27 UTC -0300 dixit:
> Hi,
> I'm unwilling to believe something I have read:
> cisco says that if you have basic (i.e. traditional intercept) http
> authentication proxy enabled, your credentials are forwarded to
> the initial web server you were accessing when the authentication
> happens.
> If this is http, this in turn goes in cleartext, so it makes a big
> security issue.
>
> Now, why would it do that ? I mean, forward the credentials...
>
> Perplexed,
> -Carlos
>
-- Carlos G Mendioroz <tron_at_huapi.ba.ar> LW7 EQI Argentina Blogs and organic groups at http://www.ccie.netReceived on Wed Apr 15 2009 - 13:44:04 ART
This archive was generated by hypermail 2.2.0 : Mon May 04 2009 - 07:39:12 ART