You are correct. The function getScrambledPassword is pretty weak. The password is not sent in clear text though; it can just be unscrambled using publicly available information.
Axton Grams On 9/27/07, Carey Matthew Black <[EMAIL PROTECTED]> wrote: > Axton, > > I think I have to question you on this one... > > - passwords sent via the login page: no > > I remember seeing a Javascript encoding function that encodes the > value the user enters. However if the web server is not SSL'ed then > that encoded value is sent "in the clear" to the server. ( It is just > scrambled a bit first.) > > I think it would be easy for the average web developer to look at the > login page and use the Javascript code to build a function to > "unscramble" the encoded password. ( Although I have not tried to do > it. I just expect that the process is reversible and since I should > have access to all of the code that the browser uses.... the reverse > algorithm just should not be hard to figure out.) > > So in my opinion, without an SSL cert, all of the mid-tier is "in the > clear". And I mean not just the passwords, but the portion of the > "form" that the client sees is also "in the clear". So if you did > something very silly like enbed a password in an Active Link action.. > well... that might (I have not confirmed it) also show up in the > browser in clear text too. (And on the User Tool arf/arv files too, > but that is a slightly different story.) > > Did I misunderstand the login page? > Did I misunderstand the phrase "in the clear"? > > -- > Carey Matthew Black > Remedy Skilled Professional (RSP) > ARS = Action Request System(Remedy) > > Love, then teach > Solution = People + Process + Tools > Fast, Accurate, Cheap.... Pick two. > > > > On 9/27/07, Axton <[EMAIL PROTECTED]> wrote: > > Which passwords? > > - passwords sent in a url: yes > > > - passwords sent for the mid-tier config page: no > > - passwords for each server as configured in the mid-tier config page: no > > > > In the first case, an ssl cert will not help you. In the 2nd and 3rd > > cases, an ssl cert will strengthen the data against outside > > eavesdroppers. In the 4th case, configuring encryption on the > > arserver will strengthen the data against outside eavesdroppers. > > > > Axton Grams > > > > On 9/27/07, Greg Donalson <[EMAIL PROTECTED]> wrote: > > > ARSList, > > > > > > Are Mid-Tier passwords passed in clear text? If so, is the best way to > > > get around this is to add a security certificate to the Mid-Tier server? > > > Or are there other ways to get around it? Thanks! > > > > > > Greg > > > > > > _______________________________________________________________________________ > > > UNSUBSCRIBE or access ARSlist Archives at www.arslist.org ARSlist:"Where > > > the Answers Are" > > > > > > > _______________________________________________________________________________ > > UNSUBSCRIBE or access ARSlist Archives at www.arslist.org ARSlist:"Where > > the Answers Are" > > > > _______________________________________________________________________________ > UNSUBSCRIBE or access ARSlist Archives at www.arslist.org ARSlist:"Where the > Answers Are" > _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org ARSlist:"Where the Answers Are"
