RE: [WEB SECURITY] username & pw in clear-text through SSL considered safe?

["Martin O'Neal" <martin.oneal@xxxxxxxxxxxx>]

> I accept that this is a stretch (and a 
> really big one), but purely from that point 
> it's better to not have the password in
> clear. 

LOL.  The password isn't in the clear, it is inside an encrypted
channel.

However (ultimately) no-one cares about the password though; it is the
data/resources that we are trying to protect.  It would be bizarre to
not trust the transmission medium to the extent of wanting to monkey
around with the password (with little actual effect), and yet to still
be happy to send the data through in the clear.

Martin...

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA