Re: [WEB SECURITY] username & pw in clear-text through SSL considered safe?

["Arian J. Evans" <arian.evans@xxxxxxxxxxxxxx>]

Ditto on Martin's response.

Specifically -- in terms of Security Engineering
principles: this is not only uselessly cosmetic;
it's a fundamental security fallacy:

Rule 101: You never send the key with the message,
or message confidentiality cannot remain intact.

Someone needs to write a guide to building
dependable, distributed systems with a
web-based application security focus. At least,
I haven't seen a good guide like Ross' 2001
legacy work yet.


I have to give major props to this thread. This has
got to be one of the most complex and forked threads
I've ever seen on the WASC list!

-- 
-- 
Arian J. Evans.

Rule One of proficient motorcycling: When in doubt, give it more gas.


On Tue, Jun 17, 2008 at 11:27 PM, Martin O'Neal
<martin.oneal@xxxxxxxxxxxx> wrote:
>
>> I'm not sure if hashing the password
>> on the client side would be best practice
>> (anyone have a strong opinion?) but it
>> seems effective.
>
> The problem is that it is not effective, just cosmetic.  It doesn't buy
> you anything (other than a false sense of security).
>
> If someone has compromised your SSL, they can change whatever you put
> inside it.  In this example, all an attacker has to do is amend the
> javascript as it goes past and make it send the cleartext auth.
>
> Martin...
>
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA