Passing Credentials in the clear- Possible fixes

[Jeff <pen_tester () adelphia net>]

I'm conducting an application assessment for a portal app that is going
to be rolled out shortly. All users allowed access to the home page
without authenticating. To get to the customizable portlets they must
authenticate. I discovered today that the user credentials are being
passed in the clear.  When I present this finding I'm expecting some
push back from the application team about how "it's not their problem.
It's up to the infrastructure group to come up with a solution (i.e.
https enabled servers, network encryption devices, etc.)"

My question is this - Are there any possible solutions I could present
to the application team as to how they can fix the problem via a coding
change instead of  letting them lay the responsibility for securing
their information off on another group?  The portal is Java based if
that makes a difference.

Any info appreciated.



--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 266.5.0 - Release Date: 2/25/2005