Re: [WEB SECURITY] username & pw in clear-text through SSL considered safe?

["Mike Fratto" <mfratto@xxxxxxxxx>]

> SSL man-in-the-middle attacks are a red-hearing on this discussion, since if
> the attacker can do that he/she will be able to read all content (including
> the username & password submitted by web forms), and that is a different
> question.

Actually MITM attacks are vitally relevant to this discussion because
the browser runs through a series of checks on the certificate to
ensure that it trusted. One of those checks is whether the signing
certificate, or the certificate itself, is in the local browser store.
If either is in the local browser store, that implies the certificate
presented during SSL negotiation is from a known source and therefore
trusted.

So it's quite topical not knowing whether wilke is using a certificate
issued from a trusted CA or a self signed certificate.

Self signed certificates don't weaken the SSL/TLS protocol. Self
signed certificates only weakens the trust users can place in the
identity of the website when they first encounter it. Without getting
a copy of the self-signed cert or a copy of certificates thumb print
through a trusted source, and then verifying it, there is no way to be
sure you are talking directly to the intended server or a carefully
crafted MITM.

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA