undefined | Better HN

0 pointsjosephcsible4y ago0 comments

> transmitting the password, rather than some form of token, means that this approach is exactly as insecure as HTTP basic auth over TLS, and how many serious enterprise apps use that?

Isn't that also exactly as insecure as submitting an HTML form with <input type="password"> is? And I can't think of any enterprise apps that don't use either HTTP basic auth or that over TLS. Which ones are you thinking of?

0 comments

maxtardiveau24y ago

> Isn't that also exactly as insecure as submitting an HTML form with <input type="password"> is?

Absolutely, but I am arguing that this is not worthy of an enterprise system like SQL Server. This is especially true for a back-end system, because at least in a web browser, you'd get a warning if the certificate cannot be verified (and the connection is therefore vulnerable).

> Which ones are you thinking of?

Most of the enterprise apps I have worked with use something like OAuth or SAML. For sure, many have an option to use basic auth, but that's only used for testing and development, and would be a red flag in any security audit.

I'll just quote Microsoft's documentation <https://docs.microsoft.com/en-us/sql/relational-databases/se...>:

  Disadvantages of SQL Server Authentication

  The encrypted SQL Server Authentication login password, must be passed over the network at the time of the connection.

It's good that they acknowledge it, but it would be a lot better if they did something about it.

josephcsibleOP4y ago

> Most of the enterprise apps I have worked with use something like OAuth or SAML.

If an app is a SAML SP or an OAuth client, then it's not really doing authentication itself, but rather delegating it to another system. When you go to log in to the SAML IdP or the OAuth authorization server, where the authentication actually happens, don't they let you use HTTP basic authentication or <input type="password">?

maxtardiveau24y ago

You're right, I should not have gone on that tangent.

To get back to the main point, though, don't you think that the fact that Microsoft includes a disclaimer (kinda) in their docs lends some credence to the idea that they're not really proud of this?

1 more reply

j / k navigate · click thread line to collapse

0 comments

maxtardiveau24y ago

> Isn't that also exactly as insecure as submitting an HTML form with <input type="password"> is?

> Which ones are you thinking of?

I'll just quote Microsoft's documentation <https://docs.microsoft.com/en-us/sql/relational-databases/se...>:

  Disadvantages of SQL Server Authentication

  The encrypted SQL Server Authentication login password, must be passed over the network at the time of the connection.

It's good that they acknowledge it, but it would be a lot better if they did something about it.

josephcsibleOP4y ago

> Most of the enterprise apps I have worked with use something like OAuth or SAML.

maxtardiveau24y ago

You're right, I should not have gone on that tangent.

To get back to the main point, though, don't you think that the fact that Microsoft includes a disclaimer (kinda) in their docs lends some credence to the idea that they're not really proud of this?

1 more reply

j / k navigate · click thread line to collapse