|
Posted by Proteus on November 29, 2005, 12:12 pm
If you were Registered and logged in, you could reply and use other advanced thread options
I am told by people in charge at the campus where I teach that this login
page is secure, that the form login info (username, password) is secure
when sent. But the browser page (Firefox, Mandriva Linux) info says the
page is not encrypted, not secure. Can someone clarify how such a login
page can securely transmit the login info? Link to login page is below:
http://www.lsc.edu/Online/VirtualCampusLogin.cfm
|
|
Posted by Dr Balwinder Singh Dheeman on November 29, 2005, 12:56 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Proteus wrote:
> I am told by people in charge at the campus where I teach that this login
> page is secure, that the form login info (username, password) is secure
> when sent. But the browser page (Firefox, Mandriva Linux) info says the
> page is not encrypted, not secure. Can someone clarify how such a login
> page can securely transmit the login info? Link to login page is below:
> http://www.lsc.edu/Online/VirtualCampusLogin.cfm
No, I don't think; you are sending clear text data via _http_ (port 80),
where as URL's for secure pages send encrypted data via _https_ (http
via ssl, port 443).
You can verify/confirm it by capturing data on port 80 and, or 443 with
help of tcpdump(8) and, or ethereal(1).
--
Dr Balwinder Singh Dheeman Registered Linux User: #229709
CLLO (Chief Linux Learning Officer) Machines: #168573, 170593, 259192
Anu's Linux@HOME Distros: Ubuntu, Fedora, Knoppix
More: http://anu.homelinux.net/~bsd/ Visit: http://counter.li.org/
|
|
Posted by Dr Balwinder Singh Dheeman on November 29, 2005, 1:17 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> Proteus wrote:
>
>> I am told by people in charge at the campus where I teach that this login
>> page is secure, that the form login info (username, password) is secure
>> when sent. But the browser page (Firefox, Mandriva Linux) info says the
>> page is not encrypted, not secure. Can someone clarify how such a login
>> page can securely transmit the login info? Link to login page is below:
>> http://www.lsc.edu/Online/VirtualCampusLogin.cfm
>
>
> No, I don't think; you are sending clear text data via _http_ (port 80),
> where as URL's for secure pages send encrypted data via _https_ (http
> via ssl, port 443).
>
> You can verify/confirm it by capturing data on port 80 and, or 443 with
> help of tcpdump(8) and, or ethereal(1).
Oops! I'm sorry, I skipped checking the said page's HTML code. For
sending back user's data it is using _https_ (http via ssl, port 443) so
it will transmit encrypted data and is secure.
--
Dr Balwinder Singh Dheeman Registered Linux User: #229709
CLLO (Chief Linux Learning Officer) Machines: #168573, 170593, 259192
Anu's Linux@HOME Distros: Ubuntu, Fedora, Knoppix
More: http://anu.homelinux.net/~bsd/ Visit: http://counter.li.org/
|
|
Posted by Jeffrey F. Bloss on November 29, 2005, 1:18 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> Proteus wrote:
>> I am told by people in charge at the campus where I teach that this
>> login page is secure, that the form login info (username, password) is
>> secure when sent. But the browser page (Firefox, Mandriva Linux) info
>> says the page is not encrypted, not secure. Can someone clarify how such
>> a login page can securely transmit the login info? Link to login page is
>> below: http://www.lsc.edu/Online/VirtualCampusLogin.cfm
>
> No, I don't think; you are sending clear text data via _http_ (port 80),
> where as URL's for secure pages send encrypted data via _https_ (http via
> ssl, port 443).
Just to clarify, the login form is built this way...
<form action="https://lsc.ims.mnscu.edu/d2l/Tools/login/doLogin.asp"
method="post" ... >
doLogin.asp is essentially a bit of JavaScript that does this among other
things...
form.action = 'https://lsc.ims.mnscu.edu';
[...]
form.submit();
A secure connection is negotiated before any form data is submitted, so
nothing but the form and the login script is sent in the clear, to the
site's visitor. No names or passwords or anything go back the other way
unencrypted.
FWIW, I did packet capture a (failed) session just to make sure nothing
was broken. ;)
--
_?_ Outside of a dog, a book is a man's best friend.
(@ @) Inside of a dog, it's too dark to read.
-oOO-(_)--OOo-------------------------------[ Groucho Marx ]--
grok! Registered Linux user #402208
|
|
Posted by Peter Pearson on November 29, 2005, 1:27 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> Dr Balwinder Singh Dheeman wrote:
>> Proteus wrote:
>>> I am told by people in charge at the campus where I teach that this
>>> login page is secure, that the form login info (username, password) is
>>> secure when sent. But the browser page (Firefox, Mandriva Linux) info
>>> says the page is not encrypted, not secure. Can someone clarify how such
>>> a login page can securely transmit the login info? Link to login page is
>>> below: http://www.lsc.edu/Online/VirtualCampusLogin.cfm
> Just to clarify, the login form is built this way...
>
> <form action="https://lsc.ims.mnscu.edu/d2l/Tools/login/doLogin.asp"
> method="post" ... >
>
> doLogin.asp is essentially a bit of JavaScript that does this among other
> things...
>
> form.action = 'https://lsc.ims.mnscu.edu';
> [...]
> form.submit();
>
> A secure connection is negotiated before any form data is submitted, so
> nothing but the form and the login script is sent in the clear, to the
> site's visitor. No names or passwords or anything go back the other way
> unencrypted.
Thank you for the explanation, and thanks to Proteus for
brining it up. This is something I've wondered about for
a long time.
I used snort to capture the session, and saw that port 443
quickly came into play, and saw something resembling a
certificate go past ("$Equifax Secure Certificate Authority0...0504211"),
and noted that my "bait" username and password did not
appear in the clear.
--
Peter Pearson
To get my email address, substitute:
nowhere -> spamcop, invalid -> net
|
| Similar Threads | Posted | | Advice needed on secure remote datacenter and secure communication | August 24, 2008, 8:36 pm |
| Secure Auditor secure your windows | April 28, 2008, 6:24 am |
| Does SSL "secure" WEP? | October 13, 2006, 3:40 am |
| Which Is More Secure??? | January 4, 2007, 7:47 pm |
| is my network secure? | November 26, 2005, 11:52 pm |
| Secure passwords? | November 30, 2005, 2:45 pm |
| Is my file secure? | February 9, 2006, 4:33 pm |
| Secure web page? | February 22, 2006, 4:16 pm |
| What's up with secure-tunnel.com | May 13, 2006, 4:14 pm |
| Is Javascript Secure? | June 7, 2006, 12:11 pm |
|
XML site map