Re: [WEB SECURITY] username & pw in clear-text through SSL considered safe?

["Ivan Ristic" <ivan.ristic@xxxxxxxxx>]

I've already explained in my previous email.

The history of our security problems has demonstrated that any one
security measure can fail, and that every security measure will. It's
not about whether I trust SSL the specification, but whether I trust
SSL the implementation. While the specification itself is solid, to
make it effective one needs also to have a solid client, a solid
server, good technical skills to configure everything correctly, and a
good set of policies to catch configuration errors. You will agree
that this changes the situation dramatically; for the worse.

To sum it up: no security feature should be taken for granted.

When a catastrophic failure occurs (such as the Debian OpenSSL
debacle) you can throw up your hands in the air and claim that it's a
freak accident, but I'd prefer to be the guy who had a bunch of
overlapping security measures that prevented that freak accident from
escalating into a full compromise.


On Wed, Jun 18, 2008 at 11:06 PM, Martin O'Neal
<martin.oneal@xxxxxxxxxxxx> wrote:
>
>> Once an SSL session is cracked
>> the password will be in the clear.
>
> If you don't trust SSL, and the data is valuable enough to cause you
> concern, then web apps probably aren't the appropriate delivery
> mechanism.
>
> Martin...
>
>
> ----------------------------------------------------------------------
> CONFIDENTIALITY:  This e-mail and any files transmitted with it are
> confidential and intended solely for the use of the recipient(s) only.
> Any review, retransmission, dissemination or other use of, or taking
> any action in reliance upon this information by persons or entities
> other than the intended recipient(s) is prohibited.  If you have
> received this e-mail in error please notify the sender immediately
> and destroy the material whether stored on a computer or otherwise.
> ----------------------------------------------------------------------
> DISCLAIMER:  Any views or opinions presented within this e-mail are
> solely those of the author and do not necessarily represent those
> of Corsaire Limited, unless otherwise specifically stated.
> ----------------------------------------------------------------------
> Corsaire Limited, registered in England No. 3338312. Registered
> office: Portland House, Park Street, Bagshot, Surrey GU19 5PG.
> Telephone: +44 (0)1483-746700
>
>



-- 
Ivan Ristic

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA