[WEB SECURITY] username & pw in clear-text through SSL considered safe?
Albert Lunde
atlunde at panix.com
Wed Jun 18 23:18:53 EDT 2008
On Wed, Jun 18, 2008 at 02:25:15PM -0700, James Landis wrote:
> What you are talking about sounds like digest authentication, which
> requires the server to maintain the original password in cleartext
> form. Sure you can increase the security of the credential in transit,
> but it doesn't make sense to do that at the cost of the overall
> security of the system. You don't get additional security for free.
Digest auth doesn't require storing the password in cleartext; _if_
you are willing to store an extra password hash in a site-specific
format nothing else uses. (Obviously some implementers found it
easier to use cleartext or reversible encryption, but the spec
did consider that risk.)
Doing digest auth inside SSL is overkill for reasons already cited,
but it makes as much sense as trying to do crypto in Javascript.
(I know there other issues with Digest, but the code is already
out there to do it.)
--
Albert Lunde albert-lunde at northwestern.edu
atlunde at panix.com (new address for personal mail)
albert-lunde at nwu.edu (old address)
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
More information about the websecurity
mailing list