Re: username and Password sent as clear text strings

Matthew Zimmerman wrote:
In my opinion, if you want to mitigate this, don't use passwords. Use
true challenge-response. Everything else proposed here is either
obfuscation or doesn't really work in a web application environment.
A VPN around a webserver only works if every user that needs access to
that webserver can also access the vpn.

that is unfortunately only security though obscurity, and barely worth doing - it raises the bar quite a bit (in that the MiTM attacker must also modify the transmitted page to request a plaintext password instead. a much more demanding task than just recording traffic) but requires that you send javascript, java or flash code to actually do the challenge-response protocol (and manage the inevitable clients who will have that turned off then complain that your site "requires" things they consider a security issue).

Ultimately though, if your attacker can successfully read and modify the browser channel (either using browser plugins or indirectly by intercepting and modifying the page stream via a MiTM attack) or intercept the data entry channel (keyboard/mouse) you have already lost.

Using IPSEC instead of ssl makes a successful MiTM attack much harder, but I am sure you can envision intercept scenarios (mostly requiring local pc infection, although this is also a reliable method of SSL interception in the first place) where the transmission security is bypassed rather than "broken" so it wouldn't matter if the channel were provably unbreakable to OTP levels....


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in Securing Web Applications Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------

Relevant Pages

  • [fw-wiz] Help- Nat-t
    ... Security of HTTPS ... > Is there some possibility of a MITM attack? ... HTTPS relies on SSL / TLS. ...
    (Firewall-Wizards)
  • RE: How to "marry" subsystem and dynamic allocation
    ... If you require field level security for this production data you need to ... DB2 provides the granular security and encryption you require. ... The exit would look up the dataset in a table and if found, ... In batch we would implement a subsystem that would intercept each ...
    (bit.listserv.ibm-main)
  • Re: Winzips 256bit-AES encryption & self-extracting files
    ... zip .EXE as good as an AES 256 .ZIP file? ... Security in what way? ... The "self-extracting" code can be modified i.e. in an MITM attack, ...
    (comp.security.misc)
  • Re: Encrypted IM program
    ... > What am I overlooking? ... It's a MITM attack. ... I intercept your message, replace P and SHAand give ... Tom ...
    (sci.crypt)