06-20-2006, 10:06 PM
|
|
|
FBOP Class Of 2013
Industry Role:
Join Date: Jan 2004
Location: bumfuck, ky
Posts: 35,562
|
Strongboxxx man...the ONLY way to go
Quote:
How does the Strongbox security systemtm compare to PennyWize?
First off, the Strongbox security systemtm isn't really directly compareable to PennyWize or anything else out there that I know of. To explain why, I have to get a little technical. Before I do, let me point out that with the Strongbox security systemtm there is no monthly fee and no reliance on someone elses server for your protection. Pennywize is an old solution to an old problem. The script kiddies, real hackers, and just plain password sites figured out how to beat PennyWize around 1999-2000. As more and more password sites and software did their end runs around PennyWize, we began developing the Strongbox security systemtm as the next generation in security. Now for the technical part: Pennywize and similar services are needed because most web sites today use something called "Basic Authentication", which is implemented in a part of Apache called "mod_auth". This "Basic Authentication" is the system where the gray box pops up asking for your username and password. When the designers of mod_auth first released the design for that system, they were very careful to point out that it was not intended to be secure. It was intended to be a very basic system that could be used to put a password on your stats page until something better was designed. One major weakness is that Basic Authentication - the pop up gray box - does not distinguish between the two main phases that you learn about in security 101. The first day of a computer security course you'll hear about the two phases of "authentication", making sure the user is who they say they are, and "authorization", checking if they are allowed to access this particular page, etc. The authentication phase is when they login, the authorization happens every time they view a page or image. With basic auth, they never login. Their username and password is sent by the browser every time it requests a page or image. Because they never actually login, you never get to thoroughly check them out. For example, the Strongbox security systemtm can analyze which countries login requests are coming from, something that the monthly fee services cannot do because of the hit-by-hit analysis their old fashioned approach requires. There are a lot of other problems too, like the fact that the whole thing is based on a very short password that can be shared. Pennywize and similar programs try to tape up the holes in basic auth. That's a very tall order, because basic auth is built like a chain link fence - way too many holes to try to keep taped up. PennyWize and similar programs end up working like a burglar alarm inside the fence - trying to detect an intruder after they get in and then trying to deal with them after it's too late. the Strongbox security systemtm, on the other hand, gets rid of the whole "basic authentication" fence and puts up a thick brick wall instead. It doesn't tape up any holes, because it throws that fence full of holes in the trash pile behind the woodshed and puts in it's own far superior system. PennyWize and similar systems are also easily defeated by proxy based attacks. See the above question about proxies.
|
http://www.bettercgi.com/strongbox/index.html |
|
|