Re: [WEB SECURITY] username & pw in clear-text through SSL considered safe?

["Ivan Ristic" <ivan.ristic@xxxxxxxxx>]

Martin,

On Wed, Jun 18, 2008 at 2:56 PM, Martin O'Neal
<martin.oneal@xxxxxxxxxxxx> wrote:
>
>> I accept that this is a stretch (and a
>> really big one), but purely from that point
>> it's better to not have the password in
>> clear.
>
> LOL.  The password isn't in the clear, it is inside an encrypted
> channel

Once an SSL session is cracked the password will be in the clear. My
point is that, as a matter of principle, we should not be transmitting
an asset over the communication channel in the cases where a more
secure substitute (e.g. a challenge-response replacement for a
password) would do the job nicely. You think your SSL communication
channels are secure? So did the people who were using the flawed
Debian version of OpenSSL.


> However (ultimately) no-one cares about the password though; it is the
> data/resources that we are trying to protect.  It would be bizarre to
> not trust the transmission medium to the extent of wanting to monkey
> around with the password (with little actual effect), and yet to still
> be happy to send the data through in the clear.

Whoever captures a session will only get only the information
transmitted in it, but if they get the password they will be able to
retrieve every piece of data the user has access to.


> Martin...
>
>
> ----------------------------------------------------------------------
> CONFIDENTIALITY:  This e-mail and any files transmitted with it are
> confidential and intended solely for the use of the recipient(s) only.
> Any review, retransmission, dissemination or other use of, or taking
> any action in reliance upon this information by persons or entities
> other than the intended recipient(s) is prohibited.  If you have
> received this e-mail in error please notify the sender immediately
> and destroy the material whether stored on a computer or otherwise.
> ----------------------------------------------------------------------
> DISCLAIMER:  Any views or opinions presented within this e-mail are
> solely those of the author and do not necessarily represent those
> of Corsaire Limited, unless otherwise specifically stated.
> ----------------------------------------------------------------------
> Corsaire Limited, registered in England No. 3338312. Registered
> office: Portland House, Park Street, Bagshot, Surrey GU19 5PG.
> Telephone: +44 (0)1483-746700
>
>



-- 
Ivan Ristic

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA