|
WebApp Sec
mailing list archives
Re: Securing password between webserver & appserver.
From: arvind doraiswamy <arvind.doraiswamy () gmail com>
Date: Mon, 7 Sep 2009 21:59:55 +0530
Hey Chintan,
Yes client side certificates are possible but a big pain if you have a
large number of users to whom you have to distribute them too.
However I'm curious, a properly implemented salted hash solution where
the salt is randomly generated and matched on the server each time the
client sends it will prevent a lot of attacks. Note - the server
decides the salt, not the client.
So while I am not contesting your requirement and your reasons I think
that not much harm is done even if the webserver sees the
salted-hashed password. It can't be cracked , it can't be replayed so
what's the problem?
Am I missing something?
Cheers
Arvind
On Mon, Sep 7, 2009 at 11:34 AM, Chintan Oza<chintan.oza () gmail com> wrote:
Dear All,
We have a web application which perform user authentication on
id+password basis.
The architecture is like this.
Browser<-HTTPS->WebServer<-->AppServer
We have a requirement where password should not be available to the
WebServer (even in hashed format).
Only solution that I can think of is having an Applet performing PKI
encryption on the password before submitting the form.
Please suggest if there are any better alternatives.
Thanks,
Chintan
 By Date 
By Thread
Current thread:
- Re: Securing password between webserver & appserver., (continued)
|
Intro
