Ticket #5116 (new Feature Requests)

Opened 2 years ago

Last modified 1 year ago

Basic authentication should not be used to protect web pages

Reported by: obelisk Assigned to:
Priority: minor Milestone: Undetermined
Component: FreePBX Framework Version: 2.9-branch
Keywords: security Cc:
Confirmation: Unreviewed Distro:
Backend Engine: All Distro Ver:
Backend Ver: SVN Revision (if applicable):

Description

FreePBX uses Basic authentication despite the fact the user credentials can be sniffed off the network or proxy by anyone watching the traffic. Digest authentication should be used instead.

Change History

04/28/11 04:20:52 changed by mbrevda

  • priority changed from major to minor.
  • type changed from Bugs to Feature Requests.

Maybe tls while your at it? Or just build in a vpn! Seriously though, you probably shouldn't have the web port exposed anyway, and tunnel to your box over the uber-secure ssh.

Fair request though.

04/28/11 13:27:07 changed by p_lindheimer

  • owner changed.
  • component changed from Web interface to FreePBX Framework.

02/14/12 23:47:52 changed by obelisk

By the same logic you can argue Digest authentication used in SIP transactions is unnecessary, we should be fine with Basic. After all no one can see packets as they travel through the network and none of the proxies used by users have visibility into credentials transmitted using Basic authentication ;-)

02/16/12 06:34:45 changed by mbrevda

@obelisk feel free to provide a patch that emulates digest auth with the new forms based login (i.e. get a salt from the server, than salt+hash the password and send back just the hash). Until then, we see a difference between an admin gui and the very essence of a sip based system: sip was designed to be a system for interconnecting systems and by its very definition requires that it be open to the world and very, very secure. The admin gui was designed for a single - and competent - user. We suggest never opening the web gui to the internet, especially as were on a unix based host and ssh tunneling is ubiquitously available.

Hence, coupled with our extremely constrained and limited development resources, we have decided that our time is better spent on other features and stability improvements. That isn't to say that your idea is not a good one or that we WONT do it - only that for now its not a high priority.

02/20/12 22:34:01 changed by p_lindheimer

  • milestone changed from 2.10 to Undetermined.

(follow-up: ↓ 7 ) 03/28/12 22:39:33 changed by obelisk

The real problem here is the FreePBX team violated one of the fundamental rules of security: "Thou shalt not design your own authentication mechanisms". Instead you should rely on the web server to provide authentication. Why burden FreePBX with these issues esp if you lack the expertise to do it right ;-)

(in reply to: ↑ 6 ) 03/29/12 12:11:20 changed by p_lindheimer

Replying to obelisk:

The real problem here is the FreePBX team violated one of the fundamental rules of security: "Thou shalt not design your own authentication mechanisms". Instead you should rely on the web server to provide authentication. Why burden FreePBX with these issues esp if you lack the expertise to do it right ;-)

Actually FeePBX provides you a choice of authentication. You can either turn off authentication relying solely on the web server and thus your choice of authentication which is adequate for many users, or you can set FreePBX in a hybrid mode which again counts on the web server to do the authentication but then pulls out the authenticated username to match against the Administrators internal database.