Re: username and Password sent as clear text strings



Hey John,
I think this is a very common problem and after reading through
everything on this thread there's just 2 things that come to mind:

1) What you said -- Usage of IPSec end to end. Wouldn't that mean that
everyone who accesses this application(read internal users) also have
to use IPsec? You might want to look at whether the internal
switches/backbone is good enough to take that load or at least mention
the same to the client.

2) A much much simpler solution is to implement a salted has scheme on
the client side which means "Javascript". So as soon as you enter your
username and password and hit OK the details go to the has function in
Javascript -- get "encrypted" and go out. NOw when it "goes out" it
hits Webscarab -- but since its already "encrypted" Webscarab though
it intercepts stuff just sees the "encrypted/hashed" traffic. This
hence greatly reduces the risk; even if someone managed to somehow
convince a user to send traffic out through some untrusted proxy.

The risk is there..specially in shared environments like cyber cafes
where you could well be sending data through who knows where if you're
not careful but really its low risk IMHO. Shd be reported -- but low
risk.

Cheers
Arvind

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------



Relevant Pages

  • Re: Best practices for internal/external servers
    ... >less of a security risk than does an inbound VPN. ... >> anyone anywhere in the world to attempt to attack the IMAP server. ... Then if a client machine is compromised the only thing it'll be ...
    (comp.mail.imap)
  • Re: outlook on server
    ... I review each client individually. ... accept the risk, and willing to pay the bill to fix it, that's one thing. ... It's his server, his business. ...
    (microsoft.public.windows.server.sbs)
  • Re: [fw-wiz] VPN endpoints
    ... > 1) Some VPN products default to allowing the Null encryption algorithm. ... The cost of compromise is a function of the risk that the data may be ... > most of the benefits are in the fact that practically any client can be ...
    (Firewall-Wizards)
  • Re: What is the futur of Native Code ?
    ... >> driveup banking... ... That's because the risk is down ty $50, ... > efficiency and convenience of client-based software, ... the client is under complete control of the client owner. ...
    (borland.public.delphi.non-technical)
  • Re: XP Requirement Analysis?
    ... >> So sitting down with the client and trying to understand what his ... while I'm trying to get my head around how someone business works. ... >> spec and doesn't. ... but the people/process risk is probably more difficult to mitigate. ...
    (comp.object)