[TYPO3-dev] secure?: https:// user:pw at website.tld

[Helmut Hummel]

Hi,

On 22.05.12 23:22, Peter Russ wrote:
> --- Original Nachricht ---
> Absender:   Martin Bless
> Datum:       21.05.2012 10:49:
>>
>> Asking here since we don't have a security related mailing list for
>> obvious reasons :-)
>>
>> Does anybody know: Is it insecure to write https://user:pw@website.tld
>> in the browser?

As Stefan pointed out, the password will be SSL-encrypted during the 
transmission.

> 1. It might be logged

It will be stored in the browser history on the client. It will *not* be 
logged in the access log (or anywhere else on the server).

> 2. Who is the man-in-the-middle?

SSL is the best we have to prevent mitm attacks. The only way to break 
it is to ave control over a Certificate Authority (which happend in the 
past)

> 3. Providing password in cleartext even on https is obsolete

How do you know the password is transmitted in clear text?
The webserver my be configured to do a challenged password transmission.
And even if it's transmitted in clear text it is still SSL encrypted.

> 5. Clear text password is a risk in general, i.e the password is in
> clear text in DB: you have other problem->  don't worry about https ;-)

The above URL triggers a http auth with the webserver (if the webserver 
is configured like that). This does not mean that the password is stored 
anywhere and even if there is a PHP application that recieves that 
password it does not necessarily mean it is stored in clear text (which 
would be bad indeed).

Getting a bit off topic: TYPO3 can be configured to send the password in 
clear text ("securityLevel = normal"), if the connection is SSL 
encrypted. The password itself is still stored as salted hash, but the 
cleartext password is needed to be able to compare the transmitted 
password with the hash.

Kind regards,
Helmut

-- 
Helmut Hummel
Release Manager TYPO3 6.0
TYPO3 Core Developer, TYPO3 Security Team Leader

TYPO3 .... inspiring people to share!
Get involved: typo3.org