Prevent password from tampered by proxies/tools at client's workstation?

Question

Recently our web application has been gone through Audit. Th auditor came up with following finding:

Although SSL has been implemented and enforced, this only implies that there is network encryption (i.e. if someone uses a network sniffing tool, data will not be in in clear-text). However, at end-point – meaning client workstation – might have been tampered by proxies or monitoring tools. If that is the case, not implementing application encryption during login or change/reset password will allow user credentials to be seen in clear-text.

Is there any Standard procedure/practise available to address this kind of security issue? Dose client side JavaScript encryption/hashing worth to consider?

Note: Its a JavaEE application (Struts+EJB) dealing only with data retrieval ( i,e Enquiry system)

score 0 · Answer 1 · answered Apr 16 '15 at 09:39

0

The SSL encryption helps to avoid Network sniffing and interception attacks such as Man in the Middle. But if the interception happens post that then you require an encryption on the client side.

answered Apr 16 '15 at 09:39

prasad

1

score 0 · Answer 2 · answered Apr 16 '15 at 09:45

0

yes.. it would be wise to hash the credentials so that even if an attacker uses a proxy, he/she would not be able to make sense of the data being passed.

answered Apr 16 '15 at 09:45

prasad's friend

1

Prevent password from tampered by proxies/tools at client's workstation?

2 Answers2