Re: [WEB SECURITY] username & pw in clear-text through SSL considered safe?

[Josh Amishav-Zlatin <josh@xxxxxxxx>]

On Mon, Jun 16, 2008 at 04:41:31PM +0100, Martin O'Neal wrote:
> 
> > if SSL traffic can be sniffed and decrytped by 
> > someone in your subnet or by somone that compromised 
> > one of your routers creating something like a GRE 
> > tunnel, then you're f*****
> 
> Whilst this is true, MITM and sniffing both rely on something else to be
> broken before they are of any practical use (keys already obtained, a
> fake trust hierarchy to be accepted by a client etc.).  SSL works fine
> when implemented properly.

While this is true in theory, from my experience at least, it's pretty
easy to engineer an end user to accept a fake certificate. The protocol
itself may be "secure", but remember to take into account the weakest
link. While encrypting the credentials before they leave the browser
isn't foolproof it certainly raises the bar a bit.

--
 - Josh 

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA