On Jun 8, 2007, at 10:55 AM, Aman Raheja wrote:
> Using Post method is considered more secure of the three options. You
> may encrypt the credentials at the client, with a script on the client
> browser. This won't make it completely resistant (when the proxy is
> sniffing and decrypting SSL, as per the scenario) but will increase
> the
> work factor because now the attacker has to get to the key and then
> decrypt to get the credentials.
The key in this scenario has to be publicly available, so client-side
encryption of the credentials doesn't add any security to the system.
-dhs
Dean H. Saxe, CISSP, CEH
dean_at_fullfrontalnerdity.com
"I have always strenuously supported the right of every man to his
own opinion, however different that opinion might be to mine. He who
denies another this right makes a slave of himself to his present
opinion, because he precludes himself the right of changing it."
-- Thomas Paine, 1783
-------------------------------------------------------------------------
Sponsored by: Watchfire
The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online
despite security executives' efforts to prevent malicious attacks. This
whitepaper identifies the most common methods of attacks that we have seen,
and outlines a guideline for developing secure web applications.
Download today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008rSe
--------------------------------------------------------------------------
Received on Jun 08 2007
Intro
