Most of the major providers that I know use SSL behind netscalars too for their login servers. Usually netscalers persist the connections with the origin servers so there is still huge performance improvement while securing the data in transit in the internal network. Of course passwords still have to be sent over post not just to get them off of server logs but to prevent the browsers from storing it in users history.
-Praveen On 1/30/09, George Fletcher <gffle...@aol.com> wrote: > > Agreed. I don't think this solution works for everyone. > > Though from that post it seems that unless the site is using SRP the > password is going in clear-text over the wire (SSL) for sites that store > salted hashes. (I just used Live HTTP headers to verify a major online > service provider and this is the case. The password is in clear-text > over SSL) If the site uses something like a netscaler to offload their > SSL, then the clear-text password is in the clear inside the company's > network. Hopefully, most sites using this scheme make sure the password > is specified in a POST to ensure it's not being stored in clear-text in > the server's log files:) > > Thanks, > George > > Brian Eaton wrote: >> On Wed, Jan 28, 2009 at 6:41 PM, George Fletcher <gffle...@aol.com> wrote: >> >>> The request is only valid if the receiving >>> authentication system can generate the signature using the password for >>> that user. >>> >> >> Lots of authentication servers can't do that, because they do not keep >> a clear-text version of the user's password. Instead they store a >> salted hash. >> >> I love Thomas Ptacek's summary of password storage schemes: >> http://www.matasano.com/log/958/enough-with-the-rainbow-tables-what-you-need-to-know-about-secure-password-schemes/ >> >> > >> >> > > -- > Chief Architect AIM: gffletch > Identity Services Work: george.fletc...@corp.aol.com > AOL LLC Home: gffle...@aol.com > Mobile: +1-703-462-3494 > Office: +1-703-265-2544 Blog: http://practicalid.blogspot.com > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
