Comments on: PassPack and aSSL

By: rocks

rocks — Wed, 29 Oct 2008 15:41:56 +0000

Does it secure enough? Daniel, programmer of herbal sleeping pills

By: Tara

Tara — Mon, 29 Jan 2007 03:40:37 +0000

@Scott
Yes, there has been quite a bit of buzz about XSS via Ajax. Essentially, it boils down to this: a poorly built website will be easily violated, a well built one will not â€“ Ajax is irrelevant, whatâ€™s important is that itâ€™s high quality. I took a look at your site, it seems you’ve already found Whitehat’s article “Myth Busting Ajax Insecurity”
.
This blog post, and subsequent comments, briefly describe PassPack’s security measures (in layman’s terms):
http://passpack.wordpress.com/2006/12/14/password-security-packing-keys/

By: Scott Wright

Scott Wright — Fri, 26 Jan 2007 05:07:25 +0000

Hi folks. I’m brand new to AJAX, and I’m not a developer… so why am I here? Well, I do IT Security consulting. It’s a huge field that you can’t possibly know everything about unless you’re Bruce Schneier (just kidding). While I haven’t done development myself in many years, I do a lot of architectural analysis in the name of security. I only recently heard the term AJAX. How far behind the curve does that make me? I’ve heard via CNET podcasts that AJAX has some serious cross-site scripting type vulnerabilities.

So, I have two comments. I’d be interested in finding some background articles on the essentials of AJAX that a security architect would need to know. I’d also like to hear some comments in reply to the vulnerability issues.

Thanks, and while i’m pretty new to posting on blogs, feel free to drop by my blog at http://www.securityviews.com and make some comments to get things rolling. (BTW – nice capcha technique for comment posting!)

By: Tara Kelly

Tara Kelly — Wed, 10 Jan 2007 01:33:04 +0000

@dude
You said: “The site is very nice. I really like the user interface”
And I say: “Thanks! Glad you like it.”
What can I do? I still get excited, to this day, when someone likes something I’ve built. :) Much appreciated.

By: dude

dude — Wed, 10 Jan 2007 00:31:50 +0000

The site is very nice. I really like the user interface, and the security mechanism is interesting. I don’t think I’ll use it though – I don’t trust my *REAL* passwords anywhere but in my brain (bank, for instance) . For the passwords I don’t care that much about … well I don’t really care if I forget them I suppose. There’s always a ‘forgot pwd’ link – if there is no such link chances are the site sucks so bad I probably won’t have an account on it.
Just a personal opinion on online passwords – wish you the best, the site is great.

By: Francesco Sullo

Francesco Sullo — Tue, 09 Jan 2007 18:05:41 +0000

I’d like to underline that *PassPack uses standard SSL* and it is totally separated from aSSL. The unique connection between the two projects is that I work on both.

@Jason. Careful, aSSL is not a substitute for SSL, it only “raises the bar” for non-critical sites. aSSL is not currently safe from MiTM attacks. I’m studing a certification mechanism based on a network of public testimonial to (hopefully, someday) overcome this limitation, but it is far from happening. Please read the aSSL Security FAQ: http://assl.sullof.com/assl/securityfaq.asp

By: Jason Kolb

Jason Kolb — Tue, 09 Jan 2007 17:11:27 +0000

This is extremely cool, I’ve been waiting for something like this for a long time. I can’t wait to do away with SSL. Thanks for the link.