Re: [WEB SECURITY] username & pw in clear-text through SSL considered safe?

[Paul Schmehl <pschmehl_lists@xxxxxxxxx>]

--On Monday, June 16, 2008 17:38:53 +0100 Dinis Cruz <dinis@xxxxxxxxxx> wrote:

> coming back to the original question,
>
> when SSL is used:
>
>   - The browser does not keep a log of the actual URL string (at least last
> time I looked they didn't)
>   - The URL will also be protected by SSL
>   - The only place where the passwords will be stored are the web server logs
>
> right?

The only place I'm aware of (in my admittedly limited exposure) in which 
passwords are "stored" in logs is mysql.  I'm not aware of any webserver that 
stores credentials in its logs.  It would seem a rather brain-dead thing to do.

Mysql doesn't log queries by default, but, if you enable query logging *and* 
you change someone's password using the plaintext version of password changing 
(SET PASSWORD = PASSWORD('foobar');, *then* (and only then) the password will 
appear in plaintext in a log.

--
Paul Schmehl
As if it wasn't already obvious,
my opinions are my own and not
those of my employer.


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA