Security Basics mailing list archives
Re: Transmitting Sensitive Information between Servers
From: Chad Perrin <perrin () apotheon com>
Date: Mon, 8 Sep 2008 18:50:39 -0600
On Mon, Sep 08, 2008 at 12:48:23PM -0400, Basha, Arif wrote:
We have a policy to not pass user name/password, etc in clear between servers within our DMZ. Is this being too pedantic? I would be interested to hear how others have this implemented?
In general, I'd say that passwords should never be passed in clear text over any network if it's at all possible to avoid. In fact, passwords should *themselves* not be passed, except in cases of private encrypted tunnels (e.g., SSH tunnel) -- generally, only hashes should be sent between a client and server. If you have a client/server app that sends an actual password from the client to the server, you have a server that cannot be trusted from the client side. Servers should deal in hash comparisons and the like -- not in actual password management itself. -- Chad Perrin [ content licensed PDL: http://pdl.apotheon.org ] Dr. Ron Paul: "Liberty has meaning only if we still believe in it when terrible things happen and a false government security blanket beckons."
Attachment:
_bin
Description:
Current thread:
- Re: DMZ Web Servers, (continued)
- Re: DMZ Web Servers David Glosser (Sep 08)
- RE: DMZ Web Servers Lafosse, Ricardo (Sep 08)
- Re: DMZ Web Servers Adriel Desautels (Sep 08)
- Transmitting Sensitive Information between Servers Basha, Arif (Sep 08)
- Re: Transmitting Sensitive Information between Servers Ben Preston (Sep 08)
- RE: Transmitting Sensitive Information between Servers Thevendriya, Arvind (Sep 08)
- Re: Transmitting Sensitive Information between Servers Nathaniel Hall (Sep 08)
- Re: Transmitting Sensitive Information between Servers Chad Perrin (Sep 10)
- Re: Transmitting Sensitive Information between Servers Ansgar Wiechers (Sep 08)
- Re: Transmitting Sensitive Information between Servers Chris Benedict (Sep 08)
- Re: Transmitting Sensitive Information between Servers Chad Perrin (Sep 10)
- RE: Transmitting Sensitive Information between Servers David Gillett (Sep 11)
- Re: DMZ Web Servers David Glosser (Sep 08)
- TrueCrypt Basiru Ndow (Sep 10)
- Re: TrueCrypt Marc-André Laverdière (Sep 11)