[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] username & pw in clear-text through SSL considered safe?

From: wilke rodriquez <wilkepower@xxxxxxx>
Subject: RE: [WEB SECURITY] username & pw in clear-text through SSL considered safe?
Date: Tue, 17 Jun 2008 14:37:25 -0600

--_889b6ffd-5c4f-475c-91cc-0eaf1075487a_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

What is considered best practice in this area?  How is it that sites like n=
etvibes.com are able to hash the password before transmission, I couldn't f=
ind any javascript code doing the hashing there.

> Date: Mon, 16 Jun 2008 16:04:34 -0400> From: rklists@gmail.com> To: wilke=
power@msn.com> Subject: Re: [WEB SECURITY] username & pw in clear-text thro=
ugh SSL considered safe?> CC: websecurity@webappsec.org> > It seems like th=
e issue may have become confused a bit.> > The original question was in reg=
ards to transmitting credentials in> an HTTP Header. This does not necessar=
ily mean a URL. An example of a> sensitive, non-URL header value that is us=
ed regularly is a Session ID> in a cookie. Since this is the de-facto way o=
f handling session> management in most web applications, we'd really be in =
trouble if we> couldn't trust the confidentiality of sensitive data transmi=
tted> through HTTP Headers (except, of course, for URLs).> > Cheers,> > Roh=
it Sethi> Manager, Professional Services> Security Compass> http://www.secu=
ritycompass.com> > On Sun, Jun 15, 2008 at 9:28 PM, wilke rodriquez <wilkep=
ower@msn.com> wrote:> > Hi All,> >> > I recently came across a website that=
 passed the user credentials through> > the http header in clear-text but v=
ia https.> > Is this practice considered secure?> > Would this also show th=
at the passwords are being stored in clear-text and> > not encrypted with a=
 salt value in the db?> > It seems to be there are a few more secure option=
s when dealing with> > authentication what do you all suggest as the best f=
or a low user (less than> > 10) system?> > The system does need added secur=
ity due to the contents.> >> > Thanks> >=

--_889b6ffd-5c4f-475c-91cc-0eaf1075487a_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<style>
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
FONT-SIZE: 10pt;
FONT-FAMILY:Tahoma
}
</style>
</head>
<body class=3D'hmmessage'><BR>What is considered best practice in this area=
?&nbsp; How is it that sites like netvibes.com are able to hash the passwor=
d before transmission, I couldn't find any javascript code doing the hashin=
g there.<BR><BR><BR>
<HR id=3DstopSpelling>
&gt; Date: Mon, 16 Jun 2008 16:04:34 -0400<BR>&gt; From: rklists@gmail.com<=
BR>&gt; To: wilkepower@msn.com<BR>&gt; Subject: Re: [WEB SECURITY] username=
 &amp; pw in clear-text through SSL considered safe?<BR>&gt; CC: websecurit=
y@webappsec.org<BR>&gt; <BR>&gt; It seems like the issue may have become co=
nfused a bit.<BR>&gt; <BR>&gt; The original question was in regards to tran=
smitting credentials in<BR>&gt; an HTTP Header. This does not necessarily m=
ean a URL. An example of a<BR>&gt; sensitive, non-URL header value that is =
used regularly is a Session ID<BR>&gt; in a cookie. Since this is the de-fa=
cto way of handling session<BR>&gt; management in most web applications, we=
'd really be in trouble if we<BR>&gt; couldn't trust the confidentiality of=
 sensitive data transmitted<BR>&gt; through HTTP Headers (except, of course=
, for URLs).<BR>&gt; <BR>&gt; Cheers,<BR>&gt; <BR>&gt; Rohit Sethi<BR>&gt; =
Manager, Professional Services<BR>&gt; Security Compass<BR>&gt; http://www.=
securitycompass.com<BR>&gt; <BR>&gt; On Sun, Jun 15, 2008 at 9:28 PM, wilke=
 rodriquez &lt;wilkepower@msn.com&gt; wrote:<BR>&gt; &gt; Hi All,<BR>&gt; &=
gt;<BR>&gt; &gt; I recently came across a website that passed the user cred=
entials through<BR>&gt; &gt; the http header in clear-text but via https.<B=
R>&gt; &gt; Is this practice considered secure?<BR>&gt; &gt; Would this als=
o show that the passwords are being stored in clear-text and<BR>&gt; &gt; n=
ot encrypted with a salt value in the db?<BR>&gt; &gt; It seems to be there=
 are a few more secure options when dealing with<BR>&gt; &gt; authenticatio=
n what do you all suggest as the best for a low user (less than<BR>&gt; &gt=
; 10) system?<BR>&gt; &gt; The system does need added security due to the c=
ontents.<BR>&gt; &gt;<BR>&gt; &gt; Thanks<BR>&gt; &gt;<BR></body>
</html>=

--_889b6ffd-5c4f-475c-91cc-0eaf1075487a_--

Follow-Ups:
- Re: [WEB SECURITY] username & pw in clear-text through SSL considered safe?
  - From: Chris Varenhorst

References:
- [WEB SECURITY] username & pw in clear-text through SSL considered safe?
  - From: wilke rodriquez
- Re: [WEB SECURITY] username & pw in clear-text through SSL considered safe?
  - From: Rohit Lists

Prev by Date: Re: [WEB SECURITY] username & pw in clear-text through SSL considered safe?
Next by Date: Re: [WEB SECURITY] username & pw in clear-text through SSL considered safe?
Previous by thread: Re: [WEB SECURITY] username & pw in clear-text through SSL considered safe?
Next by thread: Re: [WEB SECURITY] username & pw in clear-text through SSL considered safe?
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site