Https - Secure Site
|
View:
New views
3 Messages
—
Rating Filter:
Alert me
|
 |
Https - Secure Site
by amatachick
::
Rate this Message:
I have what may be a simple question. When logging into a website that doesn't use SSL (https) are your credentials traveling in clear text? I am under the impression that the only way to encrypt your login is if the original page is https.
So that is my first question, and if I am correct that leads to my next question... Is there anyway to encrypt this transmission using something besides SSL? The reason that I ask is that I have seen numerous sites which use http on their login page. To me that means it's not encrypted and I can't understand why anyone would allow their login page to be unencrypted. Again, this may be pretty basic but I would really like to get some feedback from you all. Thanks!! |
|
|
Re: Https - Secure Site
by Jon Kibler-2
::
Rate this Message:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 amatachick@... wrote: > I have what may be a simple question. When logging into a website that doesn't use SSL (https) are your credentials traveling in clear text? I am under the impression that the only way to encrypt your login is if the original page is https. > > So that is my first question, and if I am correct that leads to my next question... > > Is there anyway to encrypt this transmission using something besides SSL? > > The reason that I ask is that I have seen numerous sites which use http on their login page. To me that means it's not encrypted and I can't understand why anyone would allow their login page to be unencrypted. > > Again, this may be pretty basic but I would really like to get some feedback from you all. Thanks!! > code? If the URL in your browser address line is HTTP, that does NOT mean that data sent back for login is also HTTP. What you have do is look at the 'action' option on the <FORMS ...> tag. That URL is what control whether the data is sent back using SSL or not. That said, to answer your original question, if you are using web forms to authenticate (as opposed to the pop-up 'authenticate request' dialog box), and the form's action is not HTTPS, then your credentials will be sent in clear text. And, sorry, there is absolutely zero you can do about it other than refuse to use that web site. And about the HTTP Authenticate Request box. That is just as bad as doing things in clear text. If you use basic authentication (which most do), then the data is BASE64 encoded (read, not so clear, but still clear text). If you use challenge authentication, then it is only marginally better that basic. Never authenticate that way! And don't even get me started on M$ authentication! Bottom line: You are at the mercy of the web site developer. If they don't offer it, you can't do anything about it (except complain and/or nag). And by the way, it probably gets A LOT worse. If a site is so lame as to NOT use SSL for authentication, you can bet that they are susceptible to XSS attacks, and probably even SQL Injection attacks. Two quick tests: 1) XSS. In one of the authentication boxes, type: ”><SCRIPT>alert('TESTING%20123...')</SCRIPT> If they are susceptible to XSS, you will get a pop-up alert box. 2) SQL Injection. In the login box, type: YOURLOGINNAME’ -- and leave the password box blank. You may get authenticated w/o a password, you may get a dump of the authentication table... or who knows what will happen. ** WARNING ** DO THESE AT YOUR OWN LEGAL RISK!! YOU MAY VIOLATE ANY NUMBER OF LAWS IF YOU TRY THESE ON SOME ONE ELSE'S WEB SITE! (Or, use TOR!) Finally, just because the two quick tests above fail, that does not mean that the site is not vulnerable to XSS or SQL Injection. Hope this helps! Jon Kibler - -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 c: 843-224-2494 s: 843-564-4224 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkgZBCcACgkQUVxQRc85QlOm8gCbBynoLhrsVgMGMQB0rZfkvoQv qHAAmwafxNG6o+/RezxFC6tdZaxpYO6p =YCNn -----END PGP SIGNATURE----- ================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email. |
|
|
Re: Https - Secure Site
by mouss-2
::
Rate this Message:
amatachick@... wrote:
> I have what may be a simple question. When logging into a website that doesn't use SSL (https) are your credentials traveling in clear text? I am under the impression that the only way to encrypt your login is if the original page is https. > > So that is my first question, and if I am correct that leads to my next question... > > Is there anyway to encrypt this transmission using something besides SSL? > In theory, one could implement encryption using a java applet or so, but I see no reason to do this! > The reason that I ask is that I have seen numerous sites which use http on their login page. To me that means it's not encrypted and I can't understand why anyone would allow their login page to be unencrypted. > if the login:password isn't very important, the site owner may consider that unencrypted http is acceptable, compared to buying an SSL cert (that is accepted by major browsers). for example, many sites running public mailing-lists (with mailman for example) will offer login over "plain" http. Otherwise, using https is highly recommended. > Again, this may be pretty basic but I would really like to get some feedback from you all. Thanks!! > |
| Free embeddable forum powered by Nabble | Forum Help |
