Well aware of that, I said in the original email, it will increase the
work factor.
Regards
~Aman
Dean H. Saxe wrote:
> On Jun 8, 2007, at 10:55 AM, Aman Raheja wrote:
>> Using Post method is considered more secure of the three options. You
>> may encrypt the credentials at the client, with a script on the client
>> browser. This won't make it completely resistant (when the proxy is
>> sniffing and decrypting SSL, as per the scenario) but will increase the
>> work factor because now the attacker has to get to the key and then
>> decrypt to get the credentials.
>
> The key in this scenario has to be publicly available, so client-side
> encryption of the credentials doesn't add any security to the system.
>
> -dhs
>
>
> Dean H. Saxe, CISSP, CEH
> dean_at_fullfrontalnerdity.com
> "I have always strenuously supported the right of every man to his own
> opinion, however different that opinion might be to mine. He who denies
> another this right makes a slave of himself to his present opinion,
> because he precludes himself the right of changing it."
> -- Thomas Paine, 1783
>
>
>
-------------------------------------------------------------------------
Sponsored by: Watchfire
The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online
despite security executives' efforts to prevent malicious attacks. This
whitepaper identifies the most common methods of attacks that we have seen,
and outlines a guideline for developing secure web applications.
Download today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008rSe
--------------------------------------------------------------------------
Received on Jun 10 2007
Intro
