|
Security Basics
mailing list archives
Re: Transmitting Sensitive Information between Servers
From: Chad Perrin <perrin () apotheon com>
Date: Mon, 8 Sep 2008 18:50:39 -0600
On Mon, Sep 08, 2008 at 12:48:23PM -0400, Basha, Arif wrote:
We have a policy to not pass user name/password, etc in clear between
servers within our DMZ. Is this being too pedantic?
I would be interested to hear how others have this implemented?
In general, I'd say that passwords should never be passed in clear text
over any network if it's at all possible to avoid. In fact, passwords
should *themselves* not be passed, except in cases of private encrypted
tunnels (e.g., SSH tunnel) -- generally, only hashes should be sent
between a client and server. If you have a client/server app that sends
an actual password from the client to the server, you have a server that
cannot be trusted from the client side. Servers should deal in hash
comparisons and the like -- not in actual password management itself.
--
Chad Perrin [ content licensed PDL: http://pdl.apotheon.org ]
Dr. Ron Paul: "Liberty has meaning only if we still believe in it when
terrible things happen and a false government security blanket beckons."
Attachment:
_bin
Description:
 By Date 
By Thread
Current thread:
RE: DMZ Web Servers Dan Lynch (Sep 08)
Re: DMZ Web Servers krymson (Sep 08)
|
Intro
