WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Login credentials and session id security

From: "Dean H. Saxe" <dean () fullfrontalnerdity com>
Date: Fri, 8 Jun 2007 13:59:09 -0400
On Jun 8, 2007, at 10:55 AM, Aman Raheja wrote:

Using Post method is considered more secure of the three options. You
may encrypt the credentials at the client, with a script on the client
browser. This won't make it completely resistant (when the proxy is
sniffing and decrypting SSL, as per the scenario) but will increase the 
work factor because now the attacker has to get to the key and then
decrypt to get the credentials.
The key in this scenario has to be publicly available, so client-side encryption of the credentials doesn't add any security to the system. 

-dhs


Dean H. Saxe, CISSP, CEH
dean () fullfrontalnerdity com
"I have always strenuously supported the right of every man to his own opinion, however different that opinion might be to mine. He who denies another this right makes a slave of himself to his present opinion, because he precludes himself the right of changing it." 
    -- Thomas Paine, 1783




-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. This whitepaper identifies the most common methods of attacks that we have seen, and outlines a guideline for developing secure web applications. Download today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008rSe
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: