[Owasp-delhi] SSL Broken..
karthik.muthukrishnan at tcs.com
Thu Jan 15 03:35:36 EST 2009
Out of band verification must be done for every request to the server, if
the session credentials (typically a session ID cookie) is to be
protected. Without it, the initial auth creds in the login request will be
protected by out of band verification, but not the session creds.
> I know what I can use, but just out of curiousity I want to know if I
don't use SSL/VPN or any other network based protection, what else can be
done on the application layer in order to protect the credentials.
Auth creds (login requests) of web applications can be protected by using
either a challenge handshake mechanism or by using an out of band system.
However both of these will only prevent clear-text auth creds from being
transmitted across the network. After logging in, session credentials
will have to be protected too. I beleive we have two options for this. The
first is to encrypt the channel, which is most commonly used in web
applications. The other alternative is not to support sessions at all. But
this means that authentication must happen for every request going to the
Guys, let me know if you can think of other options for Gunwant's
> > As we all know salted MD5 hashing protects the authentication
credentials rightly from eavesdropping on the network.
> Apparently Yes, although ultimately it protects authentication
No offense buddy, but you are using salted MD5 in a vulnerable way, for
Salted hashes prevent attackers from obtaining the source text, so by
sniffing the network and obtaining the hash, they cant have the original
password. You are correct there.
But when a web app uses a login request with a hashed password, any one
with that hash can use that to login to the app -- without needing the
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-delhi