WebApp Sec mailing list archives

RE: Must we authenticate login forms (using SSL?)?

From: "Nathaniel S. H. Brown" <nshb () inimit com>
Date: Thu, 29 Sep 2005 22:02:00 -0700

I have created a very unique, yet simple method of a form encryption that
provides the same mechanism that the public/private key entails.

Check out my just published release at
http://www.nshb.net/secure-form-post-with-javascript-without-ssl

Look forward to hearing any feedback you guys have :)

Warmest regards,
Nathan.

--------------------------------------------------------------
Nathaniel S. H. Brown                 Toll Free 1.877.4.INIMIT
Inimit Innovations                        Phone   604.724.6624
www.inimit.com                              Fax   604.444.9942

-----Original Message-----
From: Antoine Martin [mailto:antoine () nagafix co uk] 
Sent: September 29, 2005 1:17 PM
To: info () biledge com
Cc: webappsec () securityfocus com
Subject: Re: Must we authenticate login forms (using SSL?)?

On Thu, 2005-09-29 at 11:03 +0300, info () biledge com wrote:

hi,

we do authenticate login forms with SSL or not, UAE (users  are 
everywhere) is the valid one, the attack is unavoidable.

kind of hit-and-hide game. then MITM is also = UITM.
I am surprised no-one has mentioned the use of client-side encryption
(ie: checksum the password with a random session seed - which 
can be done in Javascript for example) as a way of reducing 
the risks of MITM.
The session can still be hijacked but at least the original 
password is safer (as stealing it requires more work than 
just listening in).
Obviously, this relies on more than just plain html and needs 
other safeguards to ensure the MITM can't make the client 
default to the non-javascript version (if there is one), etc.

just my 2p

Antoine


if we can create a 'secure system' among all servers in the world, 
then we may provide security. but if clauses are jokers

sometimes, i

think it is better to prefer the identity based security

systems. you

can have SSL but user may not use https. if servers can

control the use of https, then i think things would be 
different in terms of security (now i feel very insecure !)..

i am just thinking though..

regards,

billur c.

Current thread:

Must we authenticate login forms (using SSL?)? Amir Herzberg (Sep 28)
- <Possible follow-ups>
- Re: Must we authenticate login forms (using SSL?)? info (Sep 29)
  - Re: Must we authenticate login forms (using SSL?)? Antoine Martin (Sep 29)
    - RE: Must we authenticate login forms (using SSL?)? Nathaniel S. H. Brown (Sep 29)
    - Re: Must we authenticate login forms (using SSL?)? Peter Conrad (Sep 30)
    - RE: Must we authenticate login forms (using SSL?)? Nathaniel S. H. Brown (Sep 30)
    - Re: Must we authenticate login forms (using SSL?)? Rogan Dawes (Sep 30)
    - Re: Must we authenticate login forms (using SSL?)? Antoine Martin (Sep 30)
    - Re: Must we authenticate login forms (using SSL?)? Eoin Keary (Sep 30)
    - Re: Must we authenticate login forms (using SSL?)? Antoine Martin (Sep 30)
- Re: Must we authenticate login forms (using SSL?)? mike03051 (Sep 29)