[Top] [All Lists]

Secured User Communications

2011-05-12 14:41:54

Just a small note about what you noted here:

Keith Moore wrote:

Most of the time its for good reasons - product liability, PCI requirements, etc. But even then, that hasn't prevented people in breaking security needs by adding wrappers into their new user accounts/change passwords to save the plain text somewhere before a server secured the password storage.

There is no longer any good reason for using plaintext passwords, particularly .....

True, but most packages do offer option like

   [X] Plain text ONLY over SSL/TLS

I believe the AUTH related RFCs also state this security consideration.

For PCI though, it may not be enough (depending on a few factors) and you would need SSL + HTTP Digest with the technically optional NONCE required support.

... not for customers who have their own domains and can select their own user agents.

In my business and product experience, the opposite is true like in an Intranet; host with its own access clients and/or with proprietary security and access controls. Its one reason why we continue to exist as a business. A good example is HIPAA Compliancy requirements for SSL or SHA2 secured encrypted communications over the internet - the exception? Direct Dialup! So if a small business, mom and pop shop or even mid to large, etc, wanted to get a fast certification entry into the medical insurance provider business - you can come to us! :) Remember, its not just the host, but their client users device capabilities too (doctors, banks, etc).

The times we get request or queries regarding exposing secured passwords is when they are doing some form of integration which leads the growing industry wide consideration of a "Single Identity" authentication concept.

See NSTIC - National Strategy for Trusted Identities in Cyberspace

Of course, the key industry vendors pushing and this include the marketing vendors - you would buy that "Single Trusted Identity" from them.


Hector Santos