Re: [WEB SECURITY] username & pw in clear-text through SSL considered safe?

["Rohit Lists" <rklists@xxxxxxxxx>]

Forgot to mention, confidentiality when sent over SSL

On Mon, Jun 16, 2008 at 4:04 PM, Rohit Lists <rklists@xxxxxxxxx> wrote:
> It seems like the issue may have become confused a bit.
>
> The original question was in regards to transmitting  credentials in
> an HTTP Header. This does not necessarily mean a URL. An example of a
> sensitive, non-URL header value that is used regularly is a Session ID
> in a cookie. Since this is the de-facto way of handling session
> management in most web applications, we'd really be in trouble if we
> couldn't trust the confidentiality of sensitive data transmitted
> through HTTP Headers (except, of course, for URLs).
>
> Cheers,
>
> Rohit Sethi
> Manager, Professional Services
> Security Compass
> http://www.securitycompass.com
>
> On Sun, Jun 15, 2008 at 9:28 PM, wilke rodriquez <wilkepower@xxxxxxx> wrote:
>> Hi All,
>>
>> I recently came across a website that passed the user credentials through
>> the http header in clear-text but via https.
>> Is this practice considered secure?
>> Would this also show that the passwords are being stored in clear-text and
>> not encrypted with a salt value in the db?
>> It seems to be there are a few more secure options when dealing with
>> authentication what do you all suggest as the best for a low user (less than
>> 10) system?
>> The system does need added security due to the contents.
>>
>> Thanks
>>
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA