[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] username & pw in clear-text through SSL considered safe?
- From: "Licky Lindsay" <noontar@xxxxxxxxx>
- Subject: Re: [WEB SECURITY] username & pw in clear-text through SSL considered safe?
- Date: Mon, 16 Jun 2008 11:25:34 -0400
On Mon, Jun 16, 2008 at 9:13 AM, Bil Corry <bil@xxxxxxxxx> wrote:
> wilke rodriquez wrote on 6/15/2008 8:28 PM:
>>
>> I recently came across a website that passed the user credentials through
>> the http header in clear-text but via https. Is this practice
>> considered secure?
>
> Secure as compared to what? It's not less secure than passing the username
> and password as clear text via a form POST over HTTPS, which is how my bank,
> mortgage company, credit card companies, etc have me log into their sites.
> Not saying that's ideal, but that is the security they're using.
Exactly what I was thinking. If the folks who already responded "no
it's not very secure" could indulge my ignorance a little, this means
that you level the same charge against nearly every passworded site on
the Internet, doesn't it?
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
Brought to you by http://www.webappsec.org
Search this site
|