Re: [WEB SECURITY] username & pw in clear-text through SSL considered safe?

["Ivan Ristic" <ivan.ristic@xxxxxxxxx>]

What you're asking is not possible. Without a proper context (i.e.
security budget, attack model, other competing issues) we can only
theorise.
On Thu, Jun 19, 2008 at 8:15 AM, Martin O'Neal
<martin.oneal@xxxxxxxxxxxx> wrote:
>
> Oliver/Ivan,
>
> This isn't flame bait, and I'm not pulling your plums.  I'm happy with
> layered security.  I don't think SSL is any form of utopia.  I brush my
> teeth after meals (mostly).
>
> However; you are both arguing for the utility of a feature, that so far
> neither of you have shown any real benefit from:

I believe I've demonstrated that there are situations where such a
feature increases security. I can't do what you're asking me to do,
which is demonstrate that a feature is appropriate in every situation.
Benefit is subjective. I can't argue for a feature without a context
(e.g. security budget, competing issues, attack model, etc).


> The hash doesn't help with a MITM or mobile code attack (the most likely
> vectors).
>
> The hash may help in a limited situation where there is a poorly
> configured SSL implementation.  However, problems with the SSL
> configuration are better served by addressing these directly, which also
> protects the data.
>
> The hash may help in a limited situation where there is a flawed SSL
> implementation.  However, it does nothing for the data, the hash can
> also still be run through a rainbow table or offline brute forced (so
> the benefit is marginal) and as a solution, an OTP does everything
> better, without suffering the downsides.
>
> Martin...
>
>
> ----------------------------------------------------------------------
> CONFIDENTIALITY:  This e-mail and any files transmitted with it are
> confidential and intended solely for the use of the recipient(s) only.
> Any review, retransmission, dissemination or other use of, or taking
> any action in reliance upon this information by persons or entities
> other than the intended recipient(s) is prohibited.  If you have
> received this e-mail in error please notify the sender immediately
> and destroy the material whether stored on a computer or otherwise.
> ----------------------------------------------------------------------
> DISCLAIMER:  Any views or opinions presented within this e-mail are
> solely those of the author and do not necessarily represent those
> of Corsaire Limited, unless otherwise specifically stated.
> ----------------------------------------------------------------------
> Corsaire Limited, registered in England No. 3338312. Registered
> office: Portland House, Park Street, Bagshot, Surrey GU19 5PG.
> Telephone: +44 (0)1483-746700
>
>



-- 
Ivan Ristic

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA