WebApp Sec mailing list archives
Re: Securing password between webserver & appserver.
From: arvind doraiswamy <arvind.doraiswamy () gmail com>
Date: Tue, 8 Sep 2009 21:45:09 +0530
You're right, the client side CC is just another alternative if you're worried about passwords being in clear text. If you have Client side certs you can probably even do away with authentication as only specific users will have the cert, though most places have the cert and the login form as well to protect against the cert being stolen. The SSL , yes will end at the Web server..but hey that is what it is supposed to do. The deal though is - If you have a salted hash mechanism with the salt controlled at the server, the password will still be encrypted ...NOT by the SSL but because of the salt and the MD5/SHA1 you are using on the client side to encrypt it. The Client side code in this case won't be bypasssed. Well, I mean you can of course intercept and remove the Javascript but the server won't accept a request without a valid salted password hash..so you should be fine. A lot of apps I've seen do this. Lastly if you're concerned with the traffic between the WebServer and the DB, you'll want to ensure that all your queries are also sent over SSL(You'll probably need to enable this on the DB first). Incase your app server(Tomcat/Weblogic etc) if at all you have one is on a separate server , you'll need to look at encrypting content between: a)Client and the WS b WS and the AS c)AS and the DB Hope that clarifies things a little more. Cheers Arvind On Tue, Sep 8, 2009 at 10:50 AM, Chintan Oza<chintan.oza () gmail com> wrote:
Hi Arvind, There are 1 set of users for which password verification is done by over server where as in case of other group of users the password verification will be done by a third party system which expects password in the plain format. Correct me if I am wrong but usage of client certificate doesnt help protect communication between web server and app server as its job ends at web server which handles ssl. Thanks, Chintan
Current thread:
- Securing password between webserver & appserver. Chintan Oza (Sep 07)
- Re: Securing password between webserver & appserver. Nikhil Wagholikar (Sep 07)
- Re: Securing password between webserver & appserver. Ali, Saqib (Sep 07)
- Re: Securing password between webserver & appserver. Chintan Oza (Sep 07)
- Re: Securing password between webserver & appserver. Ali, Saqib (Sep 07)
- Re: Securing password between webserver & appserver. Chintan Oza (Sep 07)
- Re: Securing password between webserver & appserver. Robert Hajime Lanning (Sep 07)
- RE: Securing password between webserver & appserver. EXT-Adams, Randall E (Sep 07)
- Re: Securing password between webserver & appserver. arvind doraiswamy (Sep 07)
- Re: Securing password between webserver & appserver. Chintan Oza (Sep 07)
- Re: Securing password between webserver & appserver. arvind doraiswamy (Sep 08)
- Re: Securing password between webserver & appserver. Chintan Oza (Sep 07)
- RE: Securing password between webserver & appserver. Ken Schaefer (Sep 07)
- Re: Securing password between webserver & appserver. Till Elsner (Sep 08)
- Re: Securing password between webserver & appserver. bigbert007 (Sep 08)
- RE: Securing password between webserver & appserver. Calderon, Juan Carlos (GE, Corporate, consultant) (Sep 09)
- Re: Securing password between webserver & appserver. bigbert007 (Sep 08)
- <Possible follow-ups>
- RE: Securing password between webserver & appserver. Martin O'Neal (Sep 07)
- RE: Securing password between webserver & appserver. Martin O'Neal (Sep 08)