|
Posted by Java Expresso on June 17, 2006, 8:07 am
If you were Registered and logged in, you could reply and use other advanced thread options
Building an SSL protected website, the question has come up on whether
to use OTP or static passwords over SSL. Aside from the following
attacks, what other attacks can OTP protect against?:
-eavsdropping on an SSL session??? (If this is possible thanks to
explain)
-Brute Force attacks.
|
|
Posted by Todd H. on June 17, 2006, 11:47 am
If you were Registered and logged in, you could reply and use other advanced thread options
> Building an SSL protected website, the question has come up on whether
> to use OTP or static passwords over SSL. Aside from the following
> attacks, what other attacks can OTP protect against?:
>
> -eavsdropping on an SSL session??? (If this is possible thanks to
> explain)
> -Brute Force attacks.
Just to be clear--what is OTP? One time password? Single use
passwords of course are more secure than static passwords, but unless
you have patient users or savvy ones, they tend to turn folks off from
a usability standpoint.
OTP won't protect against the success of a brute force attack, but it
will make the password the bruteforce attack finds immediately
worthless, which is a big plus.
If you're building a website and wanna do it right, I suggest the
OWASP guide as required reading:
http://www.owasp.org/index.php/Category:OWASP_Guide_Project
The guide talks a lot about how not to do password protection and
session management.
Eavesdropping of SSL can be accomplished relatively easy since users
as a lot, tend to ignore certificate warnings. A man in the middle
ssl attack is accomplished by gettin gin the middle, which may present
a user with a certificate warning about the site, and with how many
sites with goofy ssl certificates out there, unwary users just want
things to work, ignore the warning, and okay the connection, accepting
the man in themiddle's cert instead of the end site's cert. There's
not a lot you can do to protect foolish users though, so it's not
really something to worry about too much.
If you want to drive you users nuts but be rather secure, perhaps look
into a static user password plus a client certificate that they need
to connect. That said though, there's a lot more stuff to worry
about other than this, and if you do the rest of the job well, a
static password sent over SSL will put you in a good situation with
regard to due diligence.
Like we always see, how nuts you want to get with protections on
authentication credentials has to do with how sensitive the info is,
and how much patience and training you can throw at your users for
dealing with the access controls.
Best Regards,
--
Todd H.
http://www.toddh.net/
|
| Similar Threads | Posted | | x.509 questions | June 7, 2007, 9:50 pm |
| security questions | July 4, 2004, 9:25 am |
| Some virus questions | May 2, 2005, 6:57 am |
| IPSEC ESP questions | May 10, 2005, 10:55 am |
| security questions | September 13, 2007, 10:10 am |
| Starting a Consultant Firm - Questions | August 4, 2006, 3:53 pm |
| Security Questions- A graduate student needs help | February 27, 2007, 3:39 am |
| Resurrecting a Win98SE machine; security questions. | June 20, 2004, 2:18 am |
| Novice Questions: Non-Standard Service Listening on Port/Firewalls | August 18, 2004, 2:12 pm |
| REVIEW: "CISSP Practice Questions Exam Cram 2", Michael C. Gregg | August 22, 2005, 5:19 pm |
|
XML site map