Re: username and Password sent as clear text strings

[christopher.riley () r-it at]

I think the issue of SSL encrypted transmissions right now are at the
forefront of peoples minds. Especially if you happen to be using one of
the vulnerable openSSL implementations under Debian/Ubuntu.

The issue comes down to defence in depth. Those people using Debian 
servers
for SSL connections are now scrambling to patch the systems before 
somebody
captures the packets and decrypts the clear text from the communication.

The whole point of a defence in depth approach is to have multiple layers
protecting this data to prevent a flaw in one from opening you up to a
whole range of problems. If the password is sent in clear text, even if=

it's over an SSL connection, one hole in the SSL security and your 
username
and password could be known. It's not a risk worth taking in my opinion.

Security isn't just about protecting the borders anymore. Be that the
border of your network, or the border around your data while in motion or
at rest. Just ask all those companies that hold clear text versions of
credit card details on their servers. One crack in the database security
and you're sending out letters to all your customers saying sorry for the
breach.

In my opinion, the best solution would be to implement obfuscation of the
username / password, or to use a challenge response model to reduce
possible exposure. Then again, a lot of companies just want the basic 
level
of security and aren't interested in the layered approach.

Ref: CVE-2008-0166

"OpenSSL 0.9.8c-1 up to 0.9.8g-9 on Debian-based operating systems uses a
random number generator that generates predictable numbers, which makesit
easier for remote attackers to conduct brute force guessing attacks 
against
cryptographic keys."

Chris
 
> From: <jfvanmeter_at_comcast.net>
> Date: Wed, 14 May 2008 10:39:51 +0000
>
>
> Hello everyone, and I know this might not be the most correct place to =
> post
> this questions, but I was hoping to get some feedback on what you think=
>  the
> potential risk would be and how this this could be exploited.
>
>
> I completed a security review of a web server, that creates a SSL
> connection between the cleint and the server. Using WebScarab, I could =
> see
> that the username and password are sent as clear text strings. The log =
> in
> to the server requires a administrative account.
>
>
> Do you think there is a large amount of risk, in sending the username a=
> nd
> password as a clear text string, since the pipe is encrypted? I was
> thinking that a man-in-the-middle or sometype of session hijacking atta=
> ck
> could allow the account to be compromised.
>
>
> =A0I'm working on completing the report for my client and was hoping to=
>  get
> some feedback from everyone so I could pose this to them correcly.
>
>
> Thank you in advance --John

----------------------------------------
Raiffeisen Informatik GmbH, Firmenbuchnr. 88239p, Handelsgericht Wien, DVR 0486809, UID ATU 16351908

Der Austausch von Nachrichten mit oben angefuehrtem Absender via E-Mail dient ausschliesslich Informationszwecken. 
Rechtsgeschaeftliche Erklaerungen duerfen ueber dieses Medium nicht ausgetauscht werden. 
Correspondence with above mentioned sender via e-mail is only for information purposes. This medium may not be used for 
exchange of legally-binding communications.
----------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes 
in Securing Web Applications  
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------