5

I have the followin scenario and looking for a secure solution.

There is a web application, hosted on IIS. The connection is established over TLS 1.2 and is encrypted.

So the steps are

  1. Client connects to the server over ssl

  2. Client sends the username and password (as well xsrf token)

  3. The server authenticates the user and creates an encrypted cookie that will go back and forth.

Assume that we are in a corporate environment were all communication occurs via a proxy server (for example when using SSL Inspection). If the inspector is compromised (quite probable based on this) then the user is vulnurable to credential theft.

I read about the crypto binding solution, but this only secures us from the MITM to not be able to keep the connection alive after the client has stopped creating traffic.

Is there a way to secure the user's passwords when ssl has been compromised this way?

1 Answers1

11

The Secure Remote Password (SRP) protocol can be used to send credentials over an unencrypted network.

You could also require SSL/TLS client authentication which will prevent the proxy from being able to establish a connection to the web server.

Irfan434
  • 719
  • 5
  • 7