2

One of my findings during a security audit was a password, sent as is over the network. As bad as it sounds, this happens only over HTTPS connection. Some authors suggested here that additional measures are not necessary, others point some problems as I was told in the comments.

What are the threats which are not mitigated by the TLS? Obviously, the passwords leak if TLS connection is attacked by a man-in-the-middle or compromised otherwise. Anything else?

Community
  • 1
Konstantin Shemyak
  • 641
  • 5
  • 12
  • 4
    If the connection is encrypted, it's not plaintext;) – Tobi Nary Apr 01 '16 at 06:16
  • 1
    An attack to the protocol instead might also be a vulnerability. Look up DROWN for example. – Rápli András Apr 01 '16 at 06:20
  • 1
    Is this between a web browser and webserver? If so, there are additional issues on the browser side, as covered here: http://security.stackexchange.com/q/988/33 – AviD Apr 01 '16 at 07:00
  • 1
    Why downvoting this ? It's not a great question but it's still a relevant one. – Stephane Apr 01 '16 at 07:12
  • @SmokeDispenser: valid note, thanks. Question title updated. – Konstantin Shemyak Apr 01 '16 at 07:14
  • Are you worried it's stored in plaintext? – d1str0 Apr 01 '16 at 07:18
  • @d1str0: I do not know how the passwords are stored, the server is not in the scope of the audit (not at this stage at least). *If* stored in plaintext, then it would be a major concern. – Konstantin Shemyak Apr 01 '16 at 07:22
  • How does this question differ from the referenced one? – techraf Apr 01 '16 at 07:39
  • @techraf: The referenced question asks "**what** should I do". Here the focus is "**why** should I do something" - thus emphasizing "other attack vectors". – Konstantin Shemyak Apr 01 '16 at 07:55
  • Both posts describe the same situation and start the question with "Is there any..." Can't see any reason for answers to be split under the two posts and thus be more difficult to find. – techraf Apr 01 '16 at 08:00
  • Also the original title was natural and way better. Can't imagine someone looking for information would type "password as is" in the search query. – techraf Apr 01 '16 at 08:11

1 Answers1

2

Is there any other attack vector ...

It depends on the details of your implementation. If you are using a POST request or the common HTTP Authentication you should be fine. But if you are using a GET request to send the password (i.e. form with method=GET or similar) then the password might be kept in log files, HTTP Referer header etc which open up more attack vectors.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434