Building an SSL protected website, the question has come up on whether
to use OTP or static passwords over SSL. Aside from the following
attacks, what other attacks can OTP protect against?:
-eavsdropping on an SSL session??? (If this is possible thanks to
explain)
-Brute Force attacks.
"Java Expresso"
> Building an SSL protected website, the question has come up on whether
> to use OTP or static passwords over SSL. Aside from the following
> attacks, what other attacks can OTP protect against?:
>
> -eavsdropping on an SSL session??? (If this is possible thanks to
> explain)
> -Brute Force attacks.
Just to be clear--what is OTP? One time password? Single use
passwords of course are more secure than static passwords, but unless
you have patient users or savvy ones, they tend to turn folks off from
a usability standpoint.
OTP won't protect against the success of a brute force attack, but it
will make the password the bruteforce attack finds immediately
worthless, which is a big plus.
If you're building a website and wanna do it right, I suggest the
OWASP guide as required reading:
http://www.owasp.org/index.php/Category:OWASP_Guide_Project
The guide talks a lot about how not to do password protection and
session management.
Eavesdropping of SSL can be accomplished relatively easy since users
as a lot, tend to ignore certificate warnings. A man in the middle
ssl attack is accomplished by gettin gin the middle, which may present
a user with a certificate warning about the site, and with how many
sites with goofy ssl certificates out there, unwary users just want
things to work, ignore the warning, and okay the connection, accepting
the man in themiddle's cert instead of the end site's cert. There's
not a lot you can do to protect foolish users though, so it's not
really something to worry about too much.
If you want to drive you users nuts but be rather secure, perhaps look
into a static user password plus a client certificate that they need
to connect. That said though, there's a lot more stuff to worry
about other than this, and if you do the rest of the job well, a
static password sent over SSL will put you in a good situation with
regard to due diligence.
Like we always see, how nuts you want to get with protections on
authentication credentials has to do with how sensitive the info is,
and how much patience and training you can throw at your users for
dealing with the access controls.
Best Regards,
--
Todd H.
http://www.toddh.net/