Penetration Testing mailing list archives
Re: username and Password sent as clear text strings
From: christopher.riley () r-it at
Date: Thu, 15 May 2008 10:14:08 +0200
I think the issue of SSL encrypted transmissions right now are at the forefront of peoples minds. Especially if you happen to be using one of the vulnerable openSSL implementations under Debian/Ubuntu. The issue comes down to defence in depth. Those people using Debian servers for SSL connections are now scrambling to patch the systems before somebody captures the packets and decrypts the clear text from the communication. The whole point of a defence in depth approach is to have multiple layers protecting this data to prevent a flaw in one from opening you up to a whole range of problems. If the password is sent in clear text, even if= it's over an SSL connection, one hole in the SSL security and your username and password could be known. It's not a risk worth taking in my opinion. Security isn't just about protecting the borders anymore. Be that the border of your network, or the border around your data while in motion or at rest. Just ask all those companies that hold clear text versions of credit card details on their servers. One crack in the database security and you're sending out letters to all your customers saying sorry for the breach. In my opinion, the best solution would be to implement obfuscation of the username / password, or to use a challenge response model to reduce possible exposure. Then again, a lot of companies just want the basic level of security and aren't interested in the layered approach. Ref: CVE-2008-0166 "OpenSSL 0.9.8c-1 up to 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates predictable numbers, which makesit easier for remote attackers to conduct brute force guessing attacks against cryptographic keys." Chris
From: <jfvanmeter_at_comcast.net> Date: Wed, 14 May 2008 10:39:51 +0000 Hello everyone, and I know this might not be the most correct place to = post this questions, but I was hoping to get some feedback on what you think= the potential risk would be and how this this could be exploited. I completed a security review of a web server, that creates a SSL connection between the cleint and the server. Using WebScarab, I could = see that the username and password are sent as clear text strings. The log = in to the server requires a administrative account. Do you think there is a large amount of risk, in sending the username a= nd password as a clear text string, since the pipe is encrypted? I was thinking that a man-in-the-middle or sometype of session hijacking atta= ck could allow the account to be compromised. =A0I'm working on completing the report for my client and was hoping to= get some feedback from everyone so I could pose this to them correcly. Thank you in advance --John
---------------------------------------- Raiffeisen Informatik GmbH, Firmenbuchnr. 88239p, Handelsgericht Wien, DVR 0486809, UID ATU 16351908 Der Austausch von Nachrichten mit oben angefuehrtem Absender via E-Mail dient ausschliesslich Informationszwecken. Rechtsgeschaeftliche Erklaerungen duerfen ueber dieses Medium nicht ausgetauscht werden. Correspondence with above mentioned sender via e-mail is only for information purposes. This medium may not be used for exchange of legally-binding communications. ---------------------------------------- ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Find out now! Get Webinar Recording and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- Re: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs?, (continued)
- Re: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? pand0ra (May 16)
- Re: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? Rick Zhong (May 17)
- RE: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? Brahnda A. Eleazar (May 26)
- RE: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? Adriano Leite (DHL CZ) (May 28)
- RE: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? Brahnda A. Eleazar (May 28)
- Re: username and Password sent as clear text strings David Howe (May 21)
- Re: username and Password sent as clear text strings Matthew Zimmerman (May 22)
- Re: username and Password sent as clear text strings David Howe (May 23)
- RE: username and Password sent as clear text strings Shenk, Jerry A (May 17)
- Re: username and Password sent as clear text strings Orlin Gueorguiev (May 18)
- RE: username and Password sent as clear text strings Shenk, Jerry A (May 18)