Hacker News new | ask | show | jobs
by viraptor 2901 days ago
> TLS makes it acceptable to send cleartext passwords

What do you mean? There exists a NULL cipher, but it needs to be agreed on by both sides. If mastercard doesn't allow NULL, you can't send anything in cleartext. Or did you think of something else?
2 comments
ge0rg 2901 days ago
The problems are before and after the TLS tunnel.

I've seen a BigCorp load balancer / web firewall log the first 1KB of each HTTP POST body into a permanent archive. A typical login submission is much smaller than that. Also in some networks the TLS connection is terminated by a frontend server and backend communication is plaintext HTTP.

While these examples are obviously bad practice, having your requests signed and not leak user passwords would easily nullify their impact.

link
gsich 2900 days ago
>What do you mean?

Login with user/password. Now the receiving end knows your plaintext password. It might get hashed, but you don't know when. Twitter I think had the latest failure with that, logging the password.

TLS is just that no MITM can see the data and that you can somewhat verify who you are connecting too.

link