[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] username & pw in clear-text through SSL considered safe?

From: "Christian Frichot" <xntrik@xxxxxxxxx>
Subject: Re: [WEB SECURITY] username & pw in clear-text through SSL considered safe?
Date: Mon, 16 Jun 2008 12:17:54 +0800

------=_Part_56576_27491916.1213589874704
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Hey Wilke,

If you can see the credentials in the clear (even though the session is over
HTTPS) I would probably say that it is *not* secure. (This depends if you
are using Basic/Digest HTTP authentication though maybe?)

As far as this being an indication that the system is not using a salt, that
is more difficult to say. The salt isn't often sent by the client, as it
should be stored in the user-store. My understanding of the salt is to
mitigate against rainbow table (http://en.wikipedia.org/wiki/Rainbow_table)
type attacks if an attacker manages to get a copy of the user store for
offline attacks.

If the system is already utilising HTTPS it may be better to modify the web
app so that user authentication sends that data via the encrypted channel,
not in any unencrypted channels (such as the HTTP header).

Of course, you've mentioned that the site does require better security due
to the contents, so implementing best-practice for web authentication is
probably a good idea. I would also recommend that any controls you're
looking to implement are as an outcome of risk-managed-based approach. For
example, you won't want to spend all this effort implementing an awesome
authentication process, but then the session and authorisation scheme is
broken allowing anyone to just visit particular URLs without authentication.

Hope this helps!

Regards,

Christian Frichot
e: xntrik@gmail.com
w: http://un-excogitate.org

On Mon, Jun 16, 2008 at 9:28 AM, wilke rodriquez <wilkepower@msn.com> wrote:
> Hi All,
>
> I recently came across a website that passed the user credentials through
> the http header in clear-text but via https.
> Is this practice considered secure?
> Would this also show that the passwords are being stored in clear-text and
> not encrypted with a salt value in the db?
> It seems to be there are a few more secure options when dealing with
> authentication what do you all suggest as the best for a low user (less
than
> 10) system?
> The system does need added security due to the contents.
>
> Thanks
>

------=_Part_56576_27491916.1213589874704
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Hey Wilke,<br><br>If you can see the credentials in the clear (even though the session is over HTTPS) I would probably say that it is <b>not</b> secure. (This depends if you are using Basic/Digest HTTP authentication though maybe?)<br>
<br>As far as this being an indication that the system is not using a salt, that is more difficult to say. The salt isn&#39;t often sent by the client, as it should be stored in the user-store. My understanding of the salt is to mitigate against rainbow table (<a href="http://en.wikipedia.org/wiki/Rainbow_table";>http://en.wikipedia.org/wiki/Rainbow_table</a>) type attacks if an attacker manages to get a copy of the user store for offline attacks.<br>
<br>If the system is already utilising HTTPS it may be better to modify the web app so that user authentication sends that data via the encrypted channel, not in any unencrypted channels (such as the HTTP header).<br><br>
Of course, you&#39;ve mentioned that the site does require better security due to the contents, so implementing best-practice for web authentication is probably a good idea. I would also recommend that any controls you&#39;re looking to implement are as an outcome of risk-managed-based approach. For example, you won&#39;t want to spend all this effort implementing an awesome authentication process, but then the session and authorisation scheme is broken allowing anyone to just visit particular URLs without authentication.<br>
<br>Hope this helps!<br><br>Regards,<br><br>Christian Frichot<br>e: <a href="mailto:xntrik@gmail.com";>xntrik@gmail.com</a><br>w: <a href="http://un-excogitate.org";>http://un-excogitate.org</a><br><br>On Mon, Jun 16, 2008 at 9:28 AM, wilke rodriquez &lt;<a href="mailto:wilkepower@msn.com";>wilkepower@msn.com</a>&gt; wrote:<br>
&gt; Hi All,<br>&gt; &nbsp;<br>&gt; I recently came across a website that passed the user credentials through<br>&gt; the http header in clear-text but via https. <br>&gt; Is this practice considered secure? <br>&gt; Would this also show that the passwords are being stored in clear-text and<br>
&gt; not encrypted with a salt value in the db?<br>&gt; It seems to be there are a few more secure options when dealing with<br>&gt; authentication what do you all suggest as the best for a low user (less than<br>&gt; 10) system?<br>
&gt; The system does need added security due to the contents.<br>&gt; &nbsp;<br>&gt; Thanks<br>&gt;<br><br>

------=_Part_56576_27491916.1213589874704--

References:
- [WEB SECURITY] username & pw in clear-text through SSL considered safe?
  - From: wilke rodriquez

Prev by Date: [WEB SECURITY] username & pw in clear-text through SSL considered safe?
Next by Date: Re: [WEB SECURITY] username & pw in clear-text through SSL considered safe?
Previous by thread: [WEB SECURITY] username & pw in clear-text through SSL considered safe?
Next by thread: Re: [WEB SECURITY] username & pw in clear-text through SSL considered safe?
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site