RE: [WEB SECURITY] username & pw in clear-text through SSL considered safe?

["Martin O'Neal" <martin.oneal@xxxxxxxxxxxx>]

Oliver/Ivan,

This isn't flame bait, and I'm not pulling your plums.  I'm happy with
layered security.  I don't think SSL is any form of utopia.  I brush my
teeth after meals (mostly).

However; you are both arguing for the utility of a feature, that so far
neither of you have shown any real benefit from:

The hash doesn't help with a MITM or mobile code attack (the most likely
vectors).

The hash may help in a limited situation where there is a poorly
configured SSL implementation.  However, problems with the SSL
configuration are better served by addressing these directly, which also
protects the data.

The hash may help in a limited situation where there is a flawed SSL
implementation.  However, it does nothing for the data, the hash can
also still be run through a rainbow table or offline brute forced (so
the benefit is marginal) and as a solution, an OTP does everything
better, without suffering the downsides.

Martin...

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA