I never called it a password in clear text, I said it was a clear text string that contained a password. In my mind that is different then a clear text password.
Just my two shiney centavos --John
-------------- Original message ----------------------
From: "Matthew Zimmerman" <mzimmerman_at_gmail.com>
> In my opinion, if you want to mitigate this, don't use passwords. Use
> true challenge-response. Everything else proposed here is either
> obfuscation or doesn't really work in a web application environment.
> A VPN around a webserver only works if every user that needs access to
> that webserver can also access the vpn.
>
> This situation should NOT be described as a 'password in cleartext'.
> If you call SSL encryption (when using a decent symmetric algorithm),
> then this is not a cleartext issue... You've committed a
> man-in-the-middle attack by being the client AND the
> man-in-the-middle... That doesn't really get you anything. If you
> control the client, you control the connection. In this case, you
> told your client to trust a self-signed certificate with the name of
> "WebScarab" when you went to "OtherSite.
>
> Follow NIST SP 800-63 for more guidance --
> http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-63--1
>
> Matt Zimmerman
>
> On Wed, May 14, 2008 at 6:39 AM, <jfvanmeter_at_comcast.net> wrote:
> > Hello everyone, and I know this might not be the most correct place to post
> this questions, but I was hoping to get some feedback on what you think the
> potential risk would be and how this this could be exploited.
> >
> > I completed a security review of a web server, that creates a SSL connection
> between the cleint and the server. Using WebScarab, I could see that the
> username and password are sent as clear text strings. The log in to the server
> requires a administrative account.
> >
> > Do you think there is a large amount of risk, in sending the username and
> password as a clear text string, since the pipe is encrypted? I was thinking
> that a man-in-the-middle or sometype of session hijacking attack could allow
> the account to be compromised.
> >
> > I'm working on completing the report for my client and was hoping to get some
> feedback from everyone so I could pose this to them correcly.
> >
> > Thank you in advance --John
> >
> > ------------------------------------------------------------------------
> > This list is sponsored by: Cenzic
> >
> > Need to secure your web apps NOW?
> > Cenzic finds more, "real" vulnerabilities fast.
> > Click to try it, buy it or download a solution FREE today!
> >
> > http://www.cenzic.com/downloads
> > ------------------------------------------------------------------------
> >
> >
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Top 5 Common Mistakes
> in Securing Web Applications
> Find out now! Get Webinar Recording and PPT Slides
>
> www.cenzic.com/landing/securityfocus/hackinar
> ------------------------------------------------------------------------
>
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides
www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
Received on May 21 2008
Intro
