Re: [WEB SECURITY] username & pw in clear-text through SSL considered safe?

["James Landis" <jcl24@xxxxxxxxxxx>]

On Mon, Jun 16, 2008 at 9:38 AM, Dinis Cruz <dinis@xxxxxxxxxx> wrote:

> So unless there is a funcky way to access that URL from an Javascript (or
> pre/post login XSS), the practice of placing the username and password on
> the URL has the same risk profile as using it on POST form
>

No! Placing sensitive data in the URL is much riskier for at least the
following major reasons:

1) Leakable via Referer headers, especially via 3rd-party image/tracking
2) Shoulder-surfable
3) Much more likely to be stored in Web server/proxy/load balancer logs
4) Definitely cacheable in URL history in Firefox

Never include sensitive information as a parameter in a URL!

What others are saying about 'cleartext' passwords over SSL is correct
- EVERYONE does this. I assume the original poster meant HTTP Basic
auth when he said that the username/password was included in a header.
One of the main problems with this scheme is that the raw username and
password are sent with EVERY request to the site. Most forms-based
auth schemes only require the password to be sent once, and then the
authentication information gets tied to the session token which is
sent with every subsequent request. This is a much safer way of
handling the credentials.

It's overkill to try to encrypt the raw credential before sending it
over SSL. If someone can decrypt your SSL session, then you're pretty
much screwed anyway and using a digest authentication scheme isn't
going to help you all that much.

-j

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA