Well aware of that, I said in the original email, it will increase the
work factor.
Regards
~Aman
Dean H. Saxe wrote:
On Jun 8, 2007, at 10:55 AM, Aman Raheja wrote:
Using Post method is considered more secure of the three options. You
may encrypt the credentials at the client, with a script on the client
browser. This won't make it completely resistant (when the proxy is
sniffing and decrypting SSL, as per the scenario) but will increase the
work factor because now the attacker has to get to the key and then
decrypt to get the credentials.
The key in this scenario has to be publicly available, so client-side
encryption of the credentials doesn't add any security to the system.
-dhs
Dean H. Saxe, CISSP, CEH
dean@fullfrontalnerdity.com
"I have always strenuously supported the right of every man to his own
opinion, however different that opinion might be to mine. He who denies
another this right makes a slave of himself to his present opinion,
because he precludes himself the right of changing it."
-- Thomas Paine, 1783
-------------------------------------------------------------------------
Sponsored by: Watchfire
The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online
despite security executives' efforts to prevent malicious attacks. This
whitepaper identifies the most common methods of attacks that we have seen,
and outlines a guideline for developing secure web applications.
Download today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008rSe
--------------------------------------------------------------------------
