Password sent over TLS: threats other than TLS compromise?

Question

One of my findings during a security audit was a password, sent as is over the network. As bad as it sounds, this happens only over HTTPS connection. Some authors suggested here that additional measures are not necessary, others point some problems as I was told in the comments.

What are the threats which are not mitigated by the TLS? Obviously, the passwords leak if TLS connection is attacked by a man-in-the-middle or compromised otherwise. Anything else?

An attack to the protocol instead might also be a vulnerability. Look up DROWN for example. — Rápli András, Apr 01 '16 at 06:20
Is this between a web browser and webserver? If so, there are additional issues on the browser side, as covered here: http://security.stackexchange.com/q/988/33 — AviD, Apr 01 '16 at 07:00
Why downvoting this ? It's not a great question but it's still a relevant one. — Stephane, Apr 01 '16 at 07:12
@SmokeDispenser: valid note, thanks. Question title updated. — Konstantin Shemyak, Apr 01 '16 at 07:14
@d1str0: I do not know how the passwords are stored, the server is not in the scope of the audit (not at this stage at least). If stored in plaintext, then it would be a major concern. — Konstantin Shemyak, Apr 01 '16 at 07:22
@techraf: The referenced question asks "what should I do". Here the focus is "why should I do something" - thus emphasizing "other attack vectors". — Konstantin Shemyak, Apr 01 '16 at 07:55
Both posts describe the same situation and start the question with "Is there any..." Can't see any reason for answers to be split under the two posts and thus be more difficult to find. — techraf, Apr 01 '16 at 08:00
Also the original title was natural and way better. Can't imagine someone looking for information would type "password as is" in the search query. — techraf, Apr 01 '16 at 08:11

score 2 · Accepted Answer · answered Apr 01 '16 at 06:34

Is there any other attack vector ...

It depends on the details of your implementation. If you are using a POST request or the common HTTP Authentication you should be fine. But if you are using a GET request to send the password (i.e. form with method=GET or similar) then the password might be kept in log files, HTTP Referer header etc which open up more attack vectors.

Password sent over TLS: threats other than TLS compromise?

1 Answers1