RE: [WEB SECURITY] username & pw in clear-text through SSL considered safe?

["Martin O'Neal" <martin.oneal@xxxxxxxxxxxx>]

> While this is true in theory

No, it is actually true in practice.  For all its unnecessary complexity
and stupid design, SSL is pretty robust; the problems with it tend to be
in the implementation.

> from my experience at least, it's pretty
> easy to engineer an end user to accept a 
> fake certificate. 

I would agree with this, but if the context of your environment warrants
this kind of security, and you feel your user training hasn't worked,
then simply switch the option to accept mismatched certificates off.

> While encrypting the credentials before they leave 
> the browser isn't foolproof it certainly raises the 
> bar a bit.

Actually, it doesn't.  Logically, if an attacker has access to the
transport, they have access to the hash code you send it out, any nonces
you may use, the whole shebang.  The ultimate value is cosmetic.  Unless
of course you engineer a complete client and distribute it offline.  In
which case you're probably on the wrong mailing list.  LOL.

Martin...

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA