RE: [WEB SECURITY] username & pw in clear-text through SSL considered safe?

["Martin O'Neal" <martin.oneal@xxxxxxxxxxxx>]

> What you're asking is not possible. Without a 
> proper context (i.e. security budget, attack 
> model, other competing issues) we can only
> theorise.

I disagree (but then you knew I would); you don't need all that
background to look at the hash feature in isolation.  

It is clear that it adds nothing in almost every scenario.  In the only
scenario provided for where it may have some value, the scenario is very
unlikely (some form of SSL flaw that doesn't allow MITM [additionally
requiring appropriate network access, a vulnerable server and a traffic
dump]) and even then, the best you have achieved is that it still leaves
the password hash exposed to an offline attack (which is the next-best
option to clear text for an attacker!).

The horse is dead!  Long live the horse!

Martin...

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA