Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 3 subscribers
  • Views 15162 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to block login popup from remote site?

DouglasFoster

If a emote web or ftp site returns a 407 error, UTM passes it thorugh to the browser which give sthe user a login popup.   If the site is http or ftp, then the crdentials are returned unencrypted.   Because the whole pop-up is often unexpected and the site name is in relatively small letters, the user may assume that he is supposed to enter his domain user and password.   This will pass secure credentials to the remote site and will pass them insecurely.   

is there a way to configure UTM to return a status that does not permit browser authentication from being triggered by the remote site?



This thread was automatically locked due to age.
Parents
  • 0

    So, to net this conversation out, Doug's original concern was unfounded.  The prompt he saw did not originate from the remote site.  Correct?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Nothing unfounded, I just had my http codes comfused.

    I have a hosting service for a personal domain, which shall remain nameless because I am growing disaffected as I identify their security problems.

    They support authenticated ftp for uploading and downloading files.   If i browse to the ftp site, I see a login popup whether running through UTM or not.

    When I realized all of the problems associated with a popup login prompt, I realized that I should block the login prompt, whether coming from an ftp site or an http(s) site.   Ftp and http are a problem because it is not encrypted, and even https is a problem because the user is likely to release internal credentials as a social engineering mistake.

    I want a policy that says ftp is only allowed if it is anonymous.

Reply
  • 0 in reply to BAlfson

    Nothing unfounded, I just had my http codes comfused.

    I have a hosting service for a personal domain, which shall remain nameless because I am growing disaffected as I identify their security problems.

    They support authenticated ftp for uploading and downloading files.   If i browse to the ftp site, I see a login popup whether running through UTM or not.

    When I realized all of the problems associated with a popup login prompt, I realized that I should block the login prompt, whether coming from an ftp site or an http(s) site.   Ftp and http are a problem because it is not encrypted, and even https is a problem because the user is likely to release internal credentials as a social engineering mistake.

    I want a policy that says ftp is only allowed if it is anonymous.

Children
Unfiltered HTML