RE: [squid-users] [ADVISORY] SQUID-2011:2 Password truncation in NCSA using DES from Jenny Lee on 2011-08-28 (squid-users)

From: Jenny Lee <bodycare_5_at_live.com>
Date: Sun, 28 Aug 2011 12:30:05 +0000

My honest opinion is that this is a totally unnecessary change. And a brutal one too.

What difference does it make if it is 8 chars or 888 chars? It is going plaintext over the wire.

For people having established systems, these functions are scattered everywhere -- in CGIs, PHPs, password changers, etc. It is not as easy as adding an "-m" to htpassword. I have to revise an entire platform for this to find out exactly where these are.

Wouldn't making this optional be a better solution? Or informing people to use an older ncsa_auth?

This change caused denial-of-service for many users in my system and it took 2 days to figure it out. People are not necessarily computer literates and they don't exactly point out what the problem is. They just say: "It is not working". It takes 20 emails back and forth and countless workhours to figure out what exactly is not working.

This one bit me very bad!

Jenny

----------------------------------------
> Date: Sun, 28 Aug 2011 22:29:18 +1200
> From: squid3_at_treenet.co.nz
> To: squid-announce_at_squid-cache.org; squid-users_at_squid-cache.org
> Subject: [squid-users] [ADVISORY] SQUID-2011:2 Password truncation in NCSA using DES
>
> __________________________________________________________________
>
> Squid Proxy Cache Security Update Advisory SQUID-2011:2
> __________________________________________________________________
>
> Advisory ID: SQUID-2011:2
> Date: August 27, 2010
> Summary: Password truncation in NCSA using DES
> Affected versions: Squid 3.0 -> 3.0.STABLE25
> Squid 3.1 -> 3.1.14
> Squid 3.2 -> 3.2.0.10
> Fixed in version: Squid 3.2.0.11, 3.1.15, 3.0.STABLE26
> __________________________________________________________________
>
> http://www.squid-cache.org/Advisories/SQUID-2011_2.txt
> __________________________________________________________________
>
> Problem Description:
>
> DES algorithm implemented by htpasswd and crypt() in some popular
> encryption libraries silently truncates passwords. Squid NCSA
> authentication helper permits long and complex passwords to be
> used with DES despite this well known issue. Leaving users with
> a false view of their security.
Received on Sun Aug 28 2011 - 12:30:22 MDT

This archive was generated by hypermail 2.2.0 : Sun Aug 28 2011 - 12:00:22 MDT