Re: [WEB SECURITY] username & pw in clear-text through SSL considered safe?

[Albert Lunde <atlunde@xxxxxxxxx>]

On Wed, Jun 18, 2008 at 02:25:15PM -0700, James Landis wrote:
> What you are talking about sounds like digest authentication, which
> requires the server to maintain the original password in cleartext
> form. Sure you can increase the security of the credential in transit,
> but it doesn't make sense to do that at the cost of the overall
> security of the system. You don't get additional security for free.

Digest auth doesn't require storing the password in cleartext; _if_
you are willing to store an extra password hash in a site-specific
format nothing else uses. (Obviously some implementers found it 
easier to use cleartext or reversible encryption, but the spec
did consider that risk.)

Doing digest auth inside SSL is overkill for reasons already cited,
but it makes as much sense as trying to do crypto in Javascript.

(I know there other issues with Digest, but the code is already
out there to do it.)

-- 
    Albert Lunde  albert-lunde@xxxxxxxxxxxxxxxx
                  atlunde@xxxxxxxxx  (new address for personal mail)
                  albert-lunde@xxxxxxx (old address)

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA