Re: [WEB SECURITY] username & pw in clear-text through SSL considered safe?

[Michele Orru' <minchia.lusardu@xxxxxxxxx>]

Hi Wilke

I think that use SSL without relying on some other encryption mechanism 
for credentials is now safe.
As you know is easy to build an SSL Man in the Middle attack with fake 
certificates, either with dsniff-webmitm-ssldump or directly with 
Ettercap or Cain (both italian products ;) )

if SSL traffic can be sniffed and decrytped by someone in your subnet or 
by somone that compromised one of your routers
creating something like a GRE tunnel, then you're f*****

About how to store password in the db:
A salt is always recommended, but if you store password hashed with 
sha-256 or even 512 you're almost safe, despite the rainbow tables ;) if 
you want to be really secure then use a strong symmetric cypher like AES 
(to follow the standard) or better Serpent.

I hope I clarified your doubts ;)

All the Best

Michele Orru'
Security Engineer @ Orrlob.com
> Hi All,
>  
> I recently came across a website that passed the user credentials 
> through the http header in clear-text but via https. 
> Is this practice considered secure? 
> Would this also show that the passwords are being stored in clear-text 
> and not encrypted with a salt value in the db?
> It seems to be there are a few more secure options when dealing with 
> authentication what do you all suggest as the best for a low user 
> (less than 10) system?
> The system does need added security due to the contents.
>  
> Thanks


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA