Brandon Black wrote: > I'd agree that SSL is the best idea for solving a whole lot of issues, > and anyone authenticating over the net should be using SSL. But SSL > doesn't make all of the other issues magically go away. SSL is just yet > another layer of security. Ideally, one should still be observing best > practices for challenge/response and translucent pw storage, etc, even > within an SSL environment. That method I linked (and others like it) > are still useful under SSL, and are improved by SSL (because with signed > certs it eliminates MITM attacks that the challenge/response is > otherwise subjected to - assuming the javascript for the hashing and the > login page itself are also sent via SSL).
Also remember that the longer an SSL session the more likely it is to be crackable from the data stream. _______________________________________________ List: [email protected] Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[email protected]/ Dev site: http://dev.catalyst.perl.org/
