Re: Transmitting Sensitive Information between Servers

[Chad Perrin <perrin () apotheon com>]

On Mon, Sep 08, 2008 at 12:48:23PM -0400, Basha, Arif wrote:
> We have a policy to not pass user name/password, etc in clear between
> servers within our DMZ.  Is this being too pedantic?
>
> I would be interested to hear how others have this implemented?

In general, I'd say that passwords should never be passed in clear text
over any network if it's at all possible to avoid.  In fact, passwords
should *themselves* not be passed, except in cases of private encrypted
tunnels (e.g., SSH tunnel) -- generally, only hashes should be sent
between a client and server.  If you have a client/server app that sends
an actual password from the client to the server, you have a server that
cannot be trusted from the client side.  Servers should deal in hash
comparisons and the like -- not in actual password management itself.

-- 
Chad Perrin [ content licensed PDL: http://pdl.apotheon.org ]
Dr. Ron Paul: "Liberty has meaning only if we still believe in it when
terrible things happen and a false government security blanket beckons."

Attachment: _bin
Description: