Penetration Testing mailing list archives
Re: username and Password sent as clear text strings
From: David Howe <DaveHowe.Pentest () googlemail com>
Date: Tue, 20 May 2008 09:43:09 +0100
Matthew Zimmerman wrote:
In my opinion, if you want to mitigate this, don't use passwords. Use true challenge-response. Everything else proposed here is either obfuscation or doesn't really work in a web application environment. A VPN around a webserver only works if every user that needs access to that webserver can also access the vpn.
that is unfortunately only security though obscurity, and barely worth doing - it raises the bar quite a bit (in that the MiTM attacker must also modify the transmitted page to request a plaintext password instead. a much more demanding task than just recording traffic) but requires that you send javascript, java or flash code to actually do the challenge-response protocol (and manage the inevitable clients who will have that turned off then complain that your site "requires" things they consider a security issue).
Ultimately though, if your attacker can successfully read and modify the browser channel (either using browser plugins or indirectly by intercepting and modifying the page stream via a MiTM attack) or intercept the data entry channel (keyboard/mouse) you have already lost.
Using IPSEC instead of ssl makes a successful MiTM attack much harder, but I am sure you can envision intercept scenarios (mostly requiring local pc infection, although this is also a reliable method of SSL interception in the first place) where the transmission security is bypassed rather than "broken" so it wouldn't matter if the channel were provably unbreakable to OTP levels....
------------------------------------------------------------------------ This list is sponsored by: CenzicTop 5 Common Mistakes in Securing Web Applications Find out now! Get Webinar Recording and PPT Slides
www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- Re: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs?, (continued)
- Re: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? Jon Kibler (May 16)
- RE: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? Newton, Preston (May 16)
- Re: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? pand0ra (May 16)
- Re: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? pand0ra (May 16)
- Re: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? Rick Zhong (May 17)
- RE: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? Brahnda A. Eleazar (May 26)
- RE: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? Adriano Leite (DHL CZ) (May 28)
- RE: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? Brahnda A. Eleazar (May 28)
- Re: username and Password sent as clear text strings David Howe (May 21)
- Re: username and Password sent as clear text strings Matthew Zimmerman (May 22)
- Re: username and Password sent as clear text strings David Howe (May 23)
- RE: username and Password sent as clear text strings Shenk, Jerry A (May 17)