Re: [WEB SECURITY] username & pw in clear-text through SSL considered safe?

["Rohit Lists" <rklists@xxxxxxxxx>]

It seems like the issue may have become confused a bit.

The original question was in regards to transmitting  credentials in
an HTTP Header. This does not necessarily mean a URL. An example of a
sensitive, non-URL header value that is used regularly is a Session ID
in a cookie. Since this is the de-facto way of handling session
management in most web applications, we'd really be in trouble if we
couldn't trust the confidentiality of sensitive data transmitted
through HTTP Headers (except, of course, for URLs).

Cheers,

Rohit Sethi
Manager, Professional Services
Security Compass
http://www.securitycompass.com

On Sun, Jun 15, 2008 at 9:28 PM, wilke rodriquez <wilkepower@xxxxxxx> wrote:
> Hi All,
>
> I recently came across a website that passed the user credentials through
> the http header in clear-text but via https.
> Is this practice considered secure?
> Would this also show that the passwords are being stored in clear-text and
> not encrypted with a salt value in the db?
> It seems to be there are a few more secure options when dealing with
> authentication what do you all suggest as the best for a low user (less than
> 10) system?
> The system does need added security due to the contents.
>
> Thanks
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA