Yes, definitely clear text passwords will be one of the weaker links in your armour which TLS/SSL will try to prevent.
Ever thought about using a 3rd party scanning product to identify issues? Take a look at NetSparker, they offer a free community edition. Also possibly worth looking at vulnerability scanning vendors which typically have a web suite which will attack your server. OWASP also have a great list of things that you should take a look at in your projects - http://www.owasp.org Best regards, Michael Lyons -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Arjang Assadi Sent: Monday, 4 April 2011 4:58 PM To: ozDotNet Subject: Security assessment for Asp.net site using WebForms Authentication with Default Asp.net Membership Provider not using https? I have been asked to provide security assessment for Asp.net site using WebForms Authentication with Default Asp.net Membership Provider not using https? The website in question just provides some confidential information and nothing financial, but yet still I would like to have at least a security level matching what I would like for webbased email client ( gmail. hotmail etc. ). I have assumed the first requirement is getting https certificate. What else should I consider? Any links for security related issues for Asp.net deployment? Regards Arjang
