« Return to Thread: Https - Secure Site
Re: Https - Secure Site
by Jon Kibler-2
::
Rate this Message:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
amatachick@... wrote:
> I have what may be a simple question. When logging into a website that doesn't use SSL (https) are your credentials traveling in clear text? I am under the impression that the only way to encrypt your login is if the original page is https.
>
> So that is my first question, and if I am correct that leads to my next question...
>
> Is there anyway to encrypt this transmission using something besides SSL?
>
> The reason that I ask is that I have seen numerous sites which use http on their login page. To me that means it's not encrypted and I can't understand why anyone would allow their login page to be unencrypted.
>
> Again, this may be pretty basic but I would really like to get some feedback from you all. Thanks!!
>How do you know the login is not SSL? Have you looked at the source
code? If the URL in your browser address line is HTTP, that does NOT
mean that data sent back for login is also HTTP. What you have do is
look at the 'action' option on the <FORMS ...> tag. That URL is what
control whether the data is sent back using SSL or not.
That said, to answer your original question, if you are using web forms
to authenticate (as opposed to the pop-up 'authenticate request' dialog
box), and the form's action is not HTTPS, then your credentials will be
sent in clear text. And, sorry, there is absolutely zero you can do
about it other than refuse to use that web site.
And about the HTTP Authenticate Request box. That is just as bad as
doing things in clear text. If you use basic authentication (which most
do), then the data is BASE64 encoded (read, not so clear, but still
clear text). If you use challenge authentication, then it is only
marginally better that basic. Never authenticate that way! And don't
even get me started on M$ authentication!
Bottom line: You are at the mercy of the web site developer. If they
don't offer it, you can't do anything about it (except complain and/or nag).
And by the way, it probably gets A LOT worse. If a site is so lame as to
NOT use SSL for authentication, you can bet that they are susceptible to
XSS attacks, and probably even SQL Injection attacks.
Two quick tests:
1) XSS. In one of the authentication boxes, type:
”><SCRIPT>alert('TESTING%20123...')</SCRIPT>
If they are susceptible to XSS, you will get a pop-up alert box.
2) SQL Injection. In the login box, type:
YOURLOGINNAME’ --
and leave the password box blank. You may get authenticated w/o a
password, you may get a dump of the authentication table... or
who knows what will happen.
** WARNING ** DO THESE AT YOUR OWN LEGAL RISK!! YOU MAY VIOLATE ANY
NUMBER OF LAWS IF YOU TRY THESE ON SOME ONE ELSE'S WEB SITE! (Or, use TOR!)
Finally, just because the two quick tests above fail, that does not mean
that the site is not vulnerable to XSS or SQL Injection.
Hope this helps!
Jon Kibler
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkgZBCcACgkQUVxQRc85QlOm8gCbBynoLhrsVgMGMQB0rZfkvoQv
qHAAmwafxNG6o+/RezxFC6tdZaxpYO6p
=YCNn
-----END PGP SIGNATURE-----
==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.
Hash: SHA1
amatachick@... wrote:
> I have what may be a simple question. When logging into a website that doesn't use SSL (https) are your credentials traveling in clear text? I am under the impression that the only way to encrypt your login is if the original page is https.
>
> So that is my first question, and if I am correct that leads to my next question...
>
> Is there anyway to encrypt this transmission using something besides SSL?
>
> The reason that I ask is that I have seen numerous sites which use http on their login page. To me that means it's not encrypted and I can't understand why anyone would allow their login page to be unencrypted.
>
> Again, this may be pretty basic but I would really like to get some feedback from you all. Thanks!!
>
code? If the URL in your browser address line is HTTP, that does NOT
mean that data sent back for login is also HTTP. What you have do is
look at the 'action' option on the <FORMS ...> tag. That URL is what
control whether the data is sent back using SSL or not.
That said, to answer your original question, if you are using web forms
to authenticate (as opposed to the pop-up 'authenticate request' dialog
box), and the form's action is not HTTPS, then your credentials will be
sent in clear text. And, sorry, there is absolutely zero you can do
about it other than refuse to use that web site.
And about the HTTP Authenticate Request box. That is just as bad as
doing things in clear text. If you use basic authentication (which most
do), then the data is BASE64 encoded (read, not so clear, but still
clear text). If you use challenge authentication, then it is only
marginally better that basic. Never authenticate that way! And don't
even get me started on M$ authentication!
Bottom line: You are at the mercy of the web site developer. If they
don't offer it, you can't do anything about it (except complain and/or nag).
And by the way, it probably gets A LOT worse. If a site is so lame as to
NOT use SSL for authentication, you can bet that they are susceptible to
XSS attacks, and probably even SQL Injection attacks.
Two quick tests:
1) XSS. In one of the authentication boxes, type:
”><SCRIPT>alert('TESTING%20123...')</SCRIPT>
If they are susceptible to XSS, you will get a pop-up alert box.
2) SQL Injection. In the login box, type:
YOURLOGINNAME’ --
and leave the password box blank. You may get authenticated w/o a
password, you may get a dump of the authentication table... or
who knows what will happen.
** WARNING ** DO THESE AT YOUR OWN LEGAL RISK!! YOU MAY VIOLATE ANY
NUMBER OF LAWS IF YOU TRY THESE ON SOME ONE ELSE'S WEB SITE! (Or, use TOR!)
Finally, just because the two quick tests above fail, that does not mean
that the site is not vulnerable to XSS or SQL Injection.
Hope this helps!
Jon Kibler
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkgZBCcACgkQUVxQRc85QlOm8gCbBynoLhrsVgMGMQB0rZfkvoQv
qHAAmwafxNG6o+/RezxFC6tdZaxpYO6p
=YCNn
-----END PGP SIGNATURE-----
==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.
« Return to Thread: Https - Secure Site
| Free embeddable forum powered by Nabble | Forum Help |
