WebApp Sec mailing list archives
Re: Must we authenticate login forms (using SSL?)?
From: Antoine Martin <antoine () nagafix co uk>
Date: Fri, 30 Sep 2005 14:44:32 +0100
e.g. My bank logon script performs an MD5 hash of the username and password before sending it to the bank. The MITM tricks me to visiting their own site, and just "proxies" the comms to the real site. However, they strip out the MD5 hashing script,and replace it with an "identity" function (i.e. the output is the same as the input). When the MITM receives the form submission, it is trivial for them to extract the username and password from the form, replace it with the MD5 hash expected, and pass it on to the real bank.
Absolutely, that's why in my post I had said: "The session can still be hijacked but at least the original password is safer (as stealing it requires more work than just listening in)." There is still some value in the approach suggested above, in the context where the attacker can listen on the line but not proxy the real server (and therefore not modify the page - not easily anyway). Regards Antoine
Current thread:
- Must we authenticate login forms (using SSL?)? Amir Herzberg (Sep 28)
- <Possible follow-ups>
- Re: Must we authenticate login forms (using SSL?)? info (Sep 29)
- Re: Must we authenticate login forms (using SSL?)? Antoine Martin (Sep 29)
- RE: Must we authenticate login forms (using SSL?)? Nathaniel S. H. Brown (Sep 29)
- Re: Must we authenticate login forms (using SSL?)? Peter Conrad (Sep 30)
- RE: Must we authenticate login forms (using SSL?)? Nathaniel S. H. Brown (Sep 30)
- Re: Must we authenticate login forms (using SSL?)? Rogan Dawes (Sep 30)
- Re: Must we authenticate login forms (using SSL?)? Antoine Martin (Sep 30)
- Re: Must we authenticate login forms (using SSL?)? Eoin Keary (Sep 30)
- Re: Must we authenticate login forms (using SSL?)? Antoine Martin (Sep 30)
- Re: Must we authenticate login forms (using SSL?)? Antoine Martin (Sep 29)