Friday, October 26, 2012

Re: Security considerations for GWT applications

On Wednesday, October 24, 2012 2:38:51 PM UTC-4, Manuel Carrasco wrote:
- You could compute and send the MD5 hash of the password instead of the clear one if the server is storing the password in MD5
 
This doesn't really work against MITM attacks. As written, the proposal substitutes a password equivalent in place of the original password, which doesn't really provide any protection against unauthorized access to the system because intercepting the password equivalent would still be sufficient for access. It does protect the original password, though that's typically a lesser concern.



Exact this is not a protection for the target system, but a guarantee for the user so as her clear password is not seen in the wire. It is very usual for users to use the same password for different systems.

--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.

No comments:

Post a Comment