WebApp Sec mailing list archives
RE: Securing password between webserver & appserver.
From: "Martin O'Neal" <martin.oneal () corsaire com>
Date: Tue, 8 Sep 2009 07:16:29 +0100
You are right. Without changing your architecture or requirements you would have to have the client encrypt the message before sending it through an untrusted web server.
Just stating the obvious here though; if the web server is genuinely untrusted, then logically none of this can be secured anyway. An attacker at the web server is a classic MITM. All they need to do is remove the client side auth code as it passes on the way out to the client, and then they will always receive a clear-text password back from the client. POW! If you don't trust the server, then a web delivery mechanism probably isn't the right architecture at all. Martin...
Current thread:
- Re: Securing password between webserver & appserver., (continued)
- Re: Securing password between webserver & appserver. Ali, Saqib (Sep 07)
- Re: Securing password between webserver & appserver. Robert Hajime Lanning (Sep 07)
- RE: Securing password between webserver & appserver. EXT-Adams, Randall E (Sep 07)
- Re: Securing password between webserver & appserver. arvind doraiswamy (Sep 07)
- Re: Securing password between webserver & appserver. Chintan Oza (Sep 07)
- Re: Securing password between webserver & appserver. arvind doraiswamy (Sep 08)
- Re: Securing password between webserver & appserver. Chintan Oza (Sep 07)
- RE: Securing password between webserver & appserver. Ken Schaefer (Sep 07)
- Re: Securing password between webserver & appserver. Till Elsner (Sep 08)
- Re: Securing password between webserver & appserver. bigbert007 (Sep 08)
- RE: Securing password between webserver & appserver. Calderon, Juan Carlos (GE, Corporate, consultant) (Sep 09)
- Re: Securing password between webserver & appserver. bigbert007 (Sep 08)
- RE: Securing password between webserver & appserver. Martin O'Neal (Sep 07)
- RE: Securing password between webserver & appserver. Martin O'Neal (Sep 08)