Re: [WEB SECURITY] username & pw in clear-text through SSL considered safe?

["Chris Varenhorst" <varenc@xxxxxxx>]

------=_Part_30708_14177782.1213753865575
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Just to jump in....netvibes.com seems to have a javascript implementation of
md5.  The js code referenced is here..
http://cdn.netvibes.com/js/c/Netvibes.js?v=410
its a bit unreadable as is, but you can find other implementations around
the internet.

I'm not sure if hashing the password on the client side would be best
practice (anyone have a strong opinion?) but it seems effective.

-Chris

On Tue, Jun 17, 2008 at 4:37 PM, wilke rodriquez <wilkepower@msn.com> wrote:

>
> What is considered best practice in this area?  How is it that sites like
> netvibes.com are able to hash the password before transmission, I couldn't
> find any javascript code doing the hashing there.
>
>
> ------------------------------
> > Date: Mon, 16 Jun 2008 16:04:34 -0400
> > From: rklists@gmail.com
> > To: wilkepower@msn.com
> > Subject: Re: [WEB SECURITY] username & pw in clear-text through SSL
> considered safe?
> > CC: websecurity@webappsec.org
>
> >
> > It seems like the issue may have become confused a bit.
> >
> > The original question was in regards to transmitting credentials in
> > an HTTP Header. This does not necessarily mean a URL. An example of a
> > sensitive, non-URL header value that is used regularly is a Session ID
> > in a cookie. Since this is the de-facto way of handling session
> > management in most web applications, we'd really be in trouble if we
> > couldn't trust the confidentiality of sensitive data transmitted
> > through HTTP Headers (except, of course, for URLs).
> >
> > Cheers,
> >
> > Rohit Sethi
> > Manager, Professional Services
> > Security Compass
> > http://www.securitycompass.com
> >
> > On Sun, Jun 15, 2008 at 9:28 PM, wilke rodriquez <wilkepower@msn.com>
> wrote:
> > > Hi All,
> > >
> > > I recently came across a website that passed the user credentials
> through
> > > the http header in clear-text but via https.
> > > Is this practice considered secure?
> > > Would this also show that the passwords are being stored in clear-text
> and
> > > not encrypted with a salt value in the db?
> > > It seems to be there are a few more secure options when dealing with
> > > authentication what do you all suggest as the best for a low user (less
> than
> > > 10) system?
> > > The system does need added security due to the contents.
> > >
> > > Thanks
> > >
>

------=_Part_30708_14177782.1213753865575
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Just to jump in....<a href="http://netvibes.com";>netvibes.com</a> seems to have a javascript implementation of md5.&nbsp; The js code referenced is here..&nbsp;&nbsp; <a href="http://cdn.netvibes.com/js/c/Netvibes.js?v=410";>http://cdn.netvibes.com/js/c/Netvibes.js?v=410</a>&nbsp; <br>
its a bit unreadable as is, but you can find other implementations around the internet.<br><br>I&#39;m not sure if hashing the password on the client side would be best practice (anyone have a strong opinion?) but it seems effective.<br>
<br>-Chris<br><br><div class="gmail_quote">On Tue, Jun 17, 2008 at 4:37 PM, wilke rodriquez &lt;<a href="mailto:wilkepower@msn.com";>wilkepower@msn.com</a>&gt; wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">




<div><br>What is considered best practice in this area?&nbsp; How is it that sites like <a href="http://netvibes.com"; target="_blank">netvibes.com</a> are able to hash the password before transmission, I couldn&#39;t find any javascript code doing the hashing there.<br>
<br><br>
<hr>
&gt; Date: Mon, 16 Jun 2008 16:04:34 -0400<br>&gt; From: <a href="mailto:rklists@gmail.com"; target="_blank">rklists@gmail.com</a><br>&gt; To: <a href="mailto:wilkepower@msn.com"; target="_blank">wilkepower@msn.com</a><div class="Ih2E3d">
<br>&gt; Subject: Re: [WEB SECURITY] username &amp; pw in clear-text through SSL considered safe?<br></div>&gt; CC: <a href="mailto:websecurity@webappsec.org"; target="_blank">websecurity@webappsec.org</a><div><div></div><div class="Wj3C7c">
<br>&gt; <br>&gt; It seems like the issue may have become confused a bit.<br>&gt; <br>&gt; The original question was in regards to transmitting credentials in<br>&gt; an HTTP Header. This does not necessarily mean a URL. An example of a<br>
&gt; sensitive, non-URL header value that is used regularly is a Session ID<br>&gt; in a cookie. Since this is the de-facto way of handling session<br>&gt; management in most web applications, we&#39;d really be in trouble if we<br>
&gt; couldn&#39;t trust the confidentiality of sensitive data transmitted<br>&gt; through HTTP Headers (except, of course, for URLs).<br>&gt; <br>&gt; Cheers,<br>&gt; <br>&gt; Rohit Sethi<br>&gt; Manager, Professional Services<br>
&gt; Security Compass<br>&gt; <a href="http://www.securitycompass.com"; target="_blank">http://www.securitycompass.com</a><br>&gt; <br>&gt; On Sun, Jun 15, 2008 at 9:28 PM, wilke rodriquez &lt;<a href="mailto:wilkepower@msn.com"; target="_blank">wilkepower@msn.com</a>&gt; wrote:<br>
&gt; &gt; Hi All,<br>&gt; &gt;<br>&gt; &gt; I recently came across a website that passed the user credentials through<br>&gt; &gt; the http header in clear-text but via https.<br>&gt; &gt; Is this practice considered secure?<br>
&gt; &gt; Would this also show that the passwords are being stored in clear-text and<br>&gt; &gt; not encrypted with a salt value in the db?<br>&gt; &gt; It seems to be there are a few more secure options when dealing with<br>
&gt; &gt; authentication what do you all suggest as the best for a low user (less than<br>&gt; &gt; 10) system?<br>&gt; &gt; The system does need added security due to the contents.<br>&gt; &gt;<br>&gt; &gt; Thanks<br>&gt; &gt;<br>
</div></div></div>
</blockquote></div><br>

------=_Part_30708_14177782.1213753865575--