Re: [WEB SECURITY] username & pw in clear-text through SSL considered safe?

["Dinis Cruz" <dinis@xxxxxxxxxx>]

------=_Part_7662_19466698.1213634333936
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

coming back to the original question,

when SSL is used:

  - The browser does not keep a log of the actual URL string (at least last
time I looked they didn't)
  - The URL will also be protected by SSL
  - The only place where the passwords will be stored are the web server
logs

right?

SSL man-in-the-middle attacks are a red-hearing on this discussion, since if
the attacker can do that he/she will be able to read all content (including
the username & password submitted by web forms), and that is a different
question.

So unless there is a funcky way to access that URL from an Javascript (or
pre/post login XSS), the practice of placing the username and password on
the URL has the same risk profile as using it on POST form

Dinis Cruz

On Mon, Jun 16, 2008 at 4:25 PM, Licky Lindsay <noontar@gmail.com> wrote:

> On Mon, Jun 16, 2008 at 9:13 AM, Bil Corry <bil@corry.biz> wrote:
> > wilke rodriquez wrote on 6/15/2008 8:28 PM:
> >>
> >> I recently came across a website that passed the user credentials
> through
> >> the http header in clear-text but via https. Is this practice
> >>  considered secure?
> >
> > Secure as compared to what?  It's not less secure than passing the
> username
> > and password as clear text via a form POST over HTTPS, which is how my
> bank,
> > mortgage company, credit card companies, etc have me log into their
> sites.
> >  Not saying that's ideal, but that is the security they're using.
>
> Exactly what I was thinking. If the folks who already responded "no
> it's not very secure" could indulge my ignorance a little, this means
> that you level the same charge against nearly every passworded site on
> the Internet, doesn't it?
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>

------=_Part_7662_19466698.1213634333936
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

coming back to the original question,<br><br>when SSL is used:<br><br>&nbsp; - The browser does not keep a log of the actual URL string (at least last time I looked they didn&#39;t)<br>&nbsp; - The URL will also be protected by SSL<br>
&nbsp; - The only place where the passwords will be stored are the web server logs<br><br>right?<br><br>SSL man-in-the-middle attacks are a red-hearing on this discussion, since if the attacker can do that he/she will be able to read all content (including the username &amp; password submitted by web forms), and that is a different question.<br>
<br>So unless there is a funcky way to access that URL from an Javascript (or pre/post login XSS), the practice of placing the username and password on the URL has the same risk profile as using it on POST form<br><br>Dinis Cruz<br>
<br><div class="gmail_quote">On Mon, Jun 16, 2008 at 4:25 PM, Licky Lindsay &lt;<a href="mailto:noontar@gmail.com";>noontar@gmail.com</a>&gt; wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="Ih2E3d">On Mon, Jun 16, 2008 at 9:13 AM, Bil Corry &lt;<a href="mailto:bil@corry.biz";>bil@corry.biz</a>&gt; wrote:<br>
&gt; wilke rodriquez wrote on 6/15/2008 8:28 PM:<br>
&gt;&gt;<br>
&gt;&gt; I recently came across a website that passed the user credentials through<br>
&gt;&gt; the http header in clear-text but via https. Is this practice<br>
&gt;&gt; &nbsp;considered secure?<br>
&gt;<br>
&gt; Secure as compared to what? &nbsp;It&#39;s not less secure than passing the username<br>
&gt; and password as clear text via a form POST over HTTPS, which is how my bank,<br>
&gt; mortgage company, credit card companies, etc have me log into their sites.<br>
&gt; &nbsp;Not saying that&#39;s ideal, but that is the security they&#39;re using.<br>
<br>
</div>Exactly what I was thinking. If the folks who already responded &quot;no<br>
it&#39;s not very secure&quot; could indulge my ignorance a little, this means<br>
that you level the same charge against nearly every passworded site on<br>
the Internet, doesn&#39;t it?<br>
<div><div></div><div class="Wj3C7c"><br>
----------------------------------------------------------------------------<br>
Join us on IRC: <a href="http://irc.freenode.net"; target="_blank">irc.freenode.net</a> #webappsec<br>
<br>
Have a question? Search The Web Security Mailing List Archives:<br>
<a href="http://www.webappsec.org/lists/websecurity/"; target="_blank">http://www.webappsec.org/lists/websecurity/</a><br>
<br>
Subscribe via RSS:<br>
<a href="http://www.webappsec.org/rss/websecurity.rss"; target="_blank">http://www.webappsec.org/rss/websecurity.rss</a> [RSS Feed]<br>
<br>
Join WASC on LinkedIn<br>
<a href="http://www.linkedin.com/e/gis/83336/4B20E4374DBA"; target="_blank">http://www.linkedin.com/e/gis/83336/4B20E4374DBA</a><br>
<br>
</div></div></blockquote></div><br><br>

------=_Part_7662_19466698.1213634333936--