-----Original Message-----
From: Antoine Martin [mailto:antoine () nagafix co uk]
Sent: September 29, 2005 1:17 PM
To: info () biledge com
Cc: webappsec () securityfocus com
Subject: Re: Must we authenticate login forms (using SSL?)?
On Thu, 2005-09-29 at 11:03 +0300, info () biledge com wrote:
hi,
we do authenticate login forms with SSL or not, UAE (users are
everywhere) is the valid one, the attack is unavoidable.
kind of hit-and-hide game. then MITM is also = UITM.
I am surprised no-one has mentioned the use of client-side encryption
(ie: checksum the password with a random session seed - which
can be done in Javascript for example) as a way of reducing
the risks of MITM.
The session can still be hijacked but at least the original
password is safer (as stealing it requires more work than
just listening in).
Obviously, this relies on more than just plain html and needs
other safeguards to ensure the MITM can't make the client
default to the non-javascript version (if there is one), etc.
just my 2p
Antoine
if we can create a 'secure system' among all servers in the world,
then we may provide security. but if clauses are jokers
sometimes, i
think it is better to prefer the identity based security
systems. you
can have SSL but user may not use https. if servers can
control the use of https, then i think things would be
different in terms of security (now i feel very insecure !)..
i am just thinking though..
regards,
billur c.
Intro
