K. K. Subramaniam wrote:
> On Wednesday 24 February 2010 04:23:58 am Andreas Raab wrote:
>> http://www.wireshark.org/
>>
>> 'nuff said. An hour in promiscuous mode on a public network will likely 
>> be enough to net you a couple of "interesting" passwords. If you write a 
>> custom filter that just greps for "Authorization: Basic" you can watch 
>> those passwords in real-time
> Please don't even try this.
> 
> Decoding passwords on a public network without authorization could run foul of 
> local laws in many countries. Technical feasibility or academic interest is 
> not sufficient excuse.

Absolutely! This was *not* an invitation to try it. It was an attempt to 
scare the hell out of all of you who think "basic auth is fine" by 
showing just how trivial it would be for an attacker in the right 
location to sniff your passwords.

Basic auth is *not* fine. Bruce Schneier isn't always right, but that 
doesn't mean he's always wrong.

Cheers,
   - Andreas