WebApp Sec mailing list archives

RE: Securing password between webserver & appserver.

From: "Martin O'Neal" <martin.oneal () corsaire com>
Date: Tue, 8 Sep 2009 07:16:29 +0100

You are right.  Without changing your 
architecture or requirements you would 
have to have the client encrypt the 
message before sending it through an 
untrusted web server.


Just stating the obvious here though; if the web server is genuinely
untrusted, then logically none of this can be secured anyway.

An attacker at the web server is a classic MITM. All they need to do is
remove the client side auth code as it passes on the way out to the
client, and then they will always receive a clear-text password back
from the client. POW!

If you don't trust the server, then a web delivery mechanism probably
isn't the right architecture at all.

Martin...

Current thread:

Re: Securing password between webserver & appserver., (continued)
- - - Re: Securing password between webserver & appserver. Ali, Saqib (Sep 07)
- Re: Securing password between webserver & appserver. Robert Hajime Lanning (Sep 07)
- RE: Securing password between webserver & appserver. EXT-Adams, Randall E (Sep 07)
- Re: Securing password between webserver & appserver. arvind doraiswamy (Sep 07)
  - Re: Securing password between webserver & appserver. Chintan Oza (Sep 07)
    - Re: Securing password between webserver & appserver. arvind doraiswamy (Sep 08)
- RE: Securing password between webserver & appserver. Ken Schaefer (Sep 07)
- Re: Securing password between webserver & appserver. Till Elsner (Sep 08)
  - Re: Securing password between webserver & appserver. bigbert007 (Sep 08)
    - RE: Securing password between webserver & appserver. Calderon, Juan Carlos (GE, Corporate, consultant) (Sep 09)
- RE: Securing password between webserver & appserver. Martin O'Neal (Sep 07)
- RE: Securing password between webserver & appserver. Martin O'Neal (Sep 08)