[WEB SECURITY] username & pw in clear-text through SSL considered safe?

[wilke rodriquez]

What is considered best practice in this area?  How is it that sites like netvibes.com are able to hash the password before transmission, I couldn't find any javascript code doing the hashing there.

> Date: Mon, 16 Jun 2008 16:04:34 -0400> From: rklists at gmail.com> To: wilkepower at msn.com> Subject: Re: [WEB SECURITY] username & pw in clear-text through SSL considered safe?> CC: websecurity at webappsec.org> > It seems like the issue may have become confused a bit.> > The original question was in regards to transmitting credentials in> an HTTP Header. This does not necessarily mean a URL. An example of a> sensitive, non-URL header value that is used regularly is a Session ID> in a cookie. Since this is the de-facto way of handling session> management in most web applications, we'd really be in trouble if we> couldn't trust the confidentiality of sensitive data transmitted> through HTTP Headers (except, of course, for URLs).> > Cheers,> > Rohit Sethi> Manager, Professional Services> Security Compass> http://www.securitycompass.com> > On Sun, Jun 15, 2008 at 9:28 PM, wilke rodriquez <wilkepower at msn.com> wrote:> > Hi All,> >> > I recently came across a website that passed the user credentials through> > the http header in clear-text but via https.> > Is this practice considered secure?> > Would this also show that the passwords are being stored in clear-text and> > not encrypted with a salt value in the db?> > It seems to be there are a few more secure options when dealing with> > authentication what do you all suggest as the best for a low user (less than> > 10) system?> > The system does need added security due to the contents.> >> > Thanks> >
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20080617/b0ccbaa4/attachment.html>