WebApp Sec mailing list archives

Re: Must we authenticate login forms (using SSL?)?

From: Antoine Martin <antoine () nagafix co uk>
Date: Fri, 30 Sep 2005 14:44:32 +0100

e.g. My bank logon script performs an MD5 hash of the username and 
password before sending it to the bank. The MITM tricks me to visiting 
their own site, and just "proxies" the comms to the real site. However, 
they strip out the MD5 hashing script,and replace it with an "identity" 
function (i.e. the output is the same as the input). When the MITM 
receives the form submission, it is trivial for them to extract the 
username and password from the form, replace it with the MD5 hash 
expected, and pass it on to the real bank.

Absolutely, that's why in my post I had said:
"The session can still be hijacked but at least the original 
password is safer (as stealing it requires more work than 
just listening in)."

There is still some value in the approach suggested above, in the
context where the attacker can listen on the line but not proxy the real
server (and therefore not modify the page - not easily anyway).

Regards
Antoine

Current thread:

Must we authenticate login forms (using SSL?)? Amir Herzberg (Sep 28)
- <Possible follow-ups>
- Re: Must we authenticate login forms (using SSL?)? info (Sep 29)
  - Re: Must we authenticate login forms (using SSL?)? Antoine Martin (Sep 29)
    - RE: Must we authenticate login forms (using SSL?)? Nathaniel S. H. Brown (Sep 29)
    - Re: Must we authenticate login forms (using SSL?)? Peter Conrad (Sep 30)
    - RE: Must we authenticate login forms (using SSL?)? Nathaniel S. H. Brown (Sep 30)
    - Re: Must we authenticate login forms (using SSL?)? Rogan Dawes (Sep 30)
    - Re: Must we authenticate login forms (using SSL?)? Antoine Martin (Sep 30)
    - Re: Must we authenticate login forms (using SSL?)? Eoin Keary (Sep 30)
    - Re: Must we authenticate login forms (using SSL?)? Antoine Martin (Sep 30)
- Re: Must we authenticate login forms (using SSL?)? mike03051 (Sep 29)