use a company called Microdasys if you want to mitigate that problem.
-------------- Original message ----------------------
From: "Shenk, Jerry A" <jshenk (at) decommunications (dot) com [email concealed]>
> That's certainly not ideal but it seems pretty common. The whole idea
> of SSL is to encrypt the traffic en-route so that makes it all ok,
> right;) The whole burden rests on doing SSL right and never having the
> user click ok on one of those boxes about the SSL hostname not matching.
> So, obviously it's a big deal if the ssl certificate is valid so they
> aren't training user to ignore those warnings. One other thing to check
> is that SSL is actually required. What happens if you go to the login
> page and manually switch it back to http - does it let you go? It seems
> like a lot of people kindof take that as an acceptable risk. It depends
> what is being encrypted...requiring an administrative account be used in
> that manner seems to add quite a bit to the to the risk. It needs to be
> a business decision....I'd try to build a reasonable scenario that would
> allow an attacker to gain access and then let the customer weigh the
> value of the data and the likelihood that someone will be that
> interested against the difficulty of the attack.
>
> BTW, this sounds like a great point to throw in a little discussion
> about how well the monitor their logs and how quickly they'd catch an
> attack or even an attempted attack.
>
>
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
> On Behalf Of jfvanmeter (at) comcast (dot) net [email concealed]
> Sent: Wednesday, May 14, 2008 6:40 AM
> To: pen-test (at) securityfocus (dot) com [email concealed]
> Subject: username and Password sent as clear text strings
>
> Hello everyone, and I know this might not be the most correct place to
> post this questions, but I was hoping to get some feedback on what you
> think the potential risk would be and how this this could be exploited.
>
> I completed a security review of a web server, that creates a SSL
> connection between the cleint and the server. Using WebScarab, I could
> see that the username and password are sent as clear text strings. The
> log in to the server requires a administrative account.
>
> Do you think there is a large amount of risk, in sending the username
> and password as a clear text string, since the pipe is encrypted? I was
> thinking that a man-in-the-middle or sometype of session hijacking
> attack could allow the account to be compromised.
>
> I'm working on completing the report for my client and was hoping to
> get some feedback from everyone so I could pose this to them correcly.
>
> Thank you in advance --John
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>
> **DISCLAIMER
> This e-mail message and any files transmitted with it are intended for the use
> of the individual or entity to which they are addressed and may contain
> information that is privileged, proprietary and confidential. If you are not the
> intended recipient, you may not use, copy or disclose to anyone the message or
> any information contained in the message. If you have received this
> communication in error, please notify the sender and delete this e-mail message.
> The contents do not represent the opinion of D&E except to the extent that it
> relates to their official business.
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Top 5 Common Mistakes
> in Securing Web Applications
> Find out now! Get Webinar Recording and PPT Slides
>
> www.cenzic.com/landing/securityfocus/hackinar
> ------------------------------------------------------------------------
-------------- Original message ----------------------
From: "Shenk, Jerry A" <jshenk (at) decommunications (dot) com [email concealed]>
> That's certainly not ideal but it seems pretty common. The whole idea
> of SSL is to encrypt the traffic en-route so that makes it all ok,
> right;) The whole burden rests on doing SSL right and never having the
> user click ok on one of those boxes about the SSL hostname not matching.
> So, obviously it's a big deal if the ssl certificate is valid so they
> aren't training user to ignore those warnings. One other thing to check
> is that SSL is actually required. What happens if you go to the login
> page and manually switch it back to http - does it let you go? It seems
> like a lot of people kindof take that as an acceptable risk. It depends
> what is being encrypted...requiring an administrative account be used in
> that manner seems to add quite a bit to the to the risk. It needs to be
> a business decision....I'd try to build a reasonable scenario that would
> allow an attacker to gain access and then let the customer weigh the
> value of the data and the likelihood that someone will be that
> interested against the difficulty of the attack.
>
> BTW, this sounds like a great point to throw in a little discussion
> about how well the monitor their logs and how quickly they'd catch an
> attack or even an attempted attack.
>
>
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
> On Behalf Of jfvanmeter (at) comcast (dot) net [email concealed]
> Sent: Wednesday, May 14, 2008 6:40 AM
> To: pen-test (at) securityfocus (dot) com [email concealed]
> Subject: username and Password sent as clear text strings
>
> Hello everyone, and I know this might not be the most correct place to
> post this questions, but I was hoping to get some feedback on what you
> think the potential risk would be and how this this could be exploited.
>
> I completed a security review of a web server, that creates a SSL
> connection between the cleint and the server. Using WebScarab, I could
> see that the username and password are sent as clear text strings. The
> log in to the server requires a administrative account.
>
> Do you think there is a large amount of risk, in sending the username
> and password as a clear text string, since the pipe is encrypted? I was
> thinking that a man-in-the-middle or sometype of session hijacking
> attack could allow the account to be compromised.
>
> I'm working on completing the report for my client and was hoping to
> get some feedback from everyone so I could pose this to them correcly.
>
> Thank you in advance --John
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>
> **DISCLAIMER
> This e-mail message and any files transmitted with it are intended for the use
> of the individual or entity to which they are addressed and may contain
> information that is privileged, proprietary and confidential. If you are not the
> intended recipient, you may not use, copy or disclose to anyone the message or
> any information contained in the message. If you have received this
> communication in error, please notify the sender and delete this e-mail message.
> The contents do not represent the opinion of D&E except to the extent that it
> relates to their official business.
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Top 5 Common Mistakes
> in Securing Web Applications
> Find out now! Get Webinar Recording and PPT Slides
>
> www.cenzic.com/landing/securityfocus/hackinar
> ------------------------------------------------------------------------
>
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides
www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
[ reply ]