[WEB SECURITY] username & pw in clear-text through SSL considered safe?

Martin O'Neal martin.oneal at corsaire.com
Wed Jun 18 02:27:03 EDT 2008


> I'm not sure if hashing the password 
> on the client side would be best practice 
> (anyone have a strong opinion?) but it 
> seems effective.

The problem is that it is not effective, just cosmetic.  It doesn't buy
you anything (other than a false sense of security).  

If someone has compromised your SSL, they can change whatever you put
inside it.  In this example, all an attacker has to do is amend the
javascript as it goes past and make it send the cleartext auth.  

Martin...



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list