Re: Login credentials and session id security

[Aman Raheja <araheja () techquotes com>]

Well aware of that, I said in the original email, it will increase the
work factor.

Regards
~Aman


Dean H. Saxe wrote:
> On Jun 8, 2007, at 10:55 AM, Aman Raheja wrote:
> > Using Post method is considered more secure of the three options. You
> > may encrypt the credentials at the client, with a script on the client
> > browser. This won't make it completely resistant (when the proxy is
> > sniffing and decrypting SSL, as per the scenario) but will increase the
> > work factor because now the attacker has to get to the key and then
> > decrypt to get the credentials.
>
> The key in this scenario has to be publicly available, so client-side
> encryption of the credentials doesn't add any security to the system.
>
> -dhs
>
>
> Dean H. Saxe, CISSP, CEH
> dean () fullfrontalnerdity com
> "I have always strenuously supported the right of every man to his own
> opinion, however different that opinion might be to mine. He who denies
> another this right makes a slave of himself to his present opinion,
> because he precludes himself the right of changing it."
>     -- Thomas Paine, 1783

-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online 
despite security executives' efforts to prevent malicious attacks. This 
whitepaper identifies the most common methods of attacks that we have seen, 
and outlines a guideline for developing secure web applications. 
Download today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008rSe
--------------------------------------------------------------------------