|
Posted by David H. Lipman on November 29, 2005, 1:20 pm
If you were Registered and logged in, you could reply and use other advanced thread options
| Proteus wrote:
>> I am told by people in charge at the campus where I teach that this login
>> page is secure, that the form login info (username, password) is secure
>> when sent. But the browser page (Firefox, Mandriva Linux) info says the
>> page is not encrypted, not secure. Can someone clarify how such a login
>> page can securely transmit the login info? Link to login page is below:
>> http://www.lsc.edu/Online/VirtualCampusLogin.cfm
|
| No, I don't think; you are sending clear text data via _http_ (port 80),
| where as URL's for secure pages send encrypted data via _https_ (http
| via ssl, port 443).
|
| You can verify/confirm it by capturing data on port 80 and, or 443 with
| help of tcpdump(8) and, or ethereal(1).
|
I just used Ethereal and the packet decode does show https (443) to 199.17.13.240
It shows "Client Key Exchange, Change Cipher Spec., Encrypted Handshake Message"
I couldn't see a Clear Text of my faux Username and Password
Looking at the HTML source I find...
https://lsc.ims.mnscu.edu/d2l/Tools/login/doLogin.asp" method="post"
name="processLogonForm"><br/><label for="userName">Username:</label>
<input
id="userName" name="userName" size="10"/> <br/><br/><label
for="password">Password:</label> <input id="password"
name="password"
size="10" type="password"/> <br/><br/><input name="Login"
type="submit"/></form><div
align="right"><p class="toplinks"><a href="login.cfm">having problems?</a></p>
</div></td>
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
|
|
Posted by Newsbox on November 29, 2005, 1:25 pm
If you were Registered and logged in, you could reply and use other advanced thread options
On Tue, 29 Nov 2005 23:26:32 +0530, Dr Balwinder Singh Dheeman wrote:
> Proteus wrote:
>> I am told by people in charge at the campus where I teach that this login
>> page is secure, that the form login info (username, password) is secure
>> when sent. But the browser page (Firefox, Mandriva Linux) info says the
>> page is not encrypted, not secure. Can someone clarify how such a login
>> page can securely transmit the login info? Link to login page is below:
>> http://www.lsc.edu/Online/VirtualCampusLogin.cfm
>
> No, I don't think; you are sending clear text data via _http_ (port 80),
> where as URL's for secure pages send encrypted data via _https_ (http
> via ssl, port 443).
>
> You can verify/confirm it by capturing data on port 80 and, or 443 with
> help of tcpdump(8) and, or ethereal(1).
I have come across similar "secure" logins on non-secure pages, also
questioned and was reassured, and did capture what was actually
transmitted. It was in fact encrypted, in the case that I looked at. I
suspect that each such case of importance needs individual examination.
It seems there are different ways to divide a page into secure and
non-secure parts, ie. with frames or scripts.
The question that remains in my mind is why anyone would bother with the
additional complexities involved in doing so, along with all the new
possible sources of error and insecurity, especially for a simple login
page. I'm sure those who write these pages have their reasons, but it
seems like a bad idea to me.
|
|
Posted by Peter Pearson on November 29, 2005, 1:33 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> The question that remains in my mind is why anyone would bother with the
> additional complexities involved in doing so, along with all the new
> possible sources of error and insecurity, especially for a simple login
> page. I'm sure those who write these pages have their reasons, but it
> seems like a bad idea to me.
I agree that straightforward tends to be better. I believe
the motivation is saving the processing power that would
be spent setting up secure sessions for people who come to
the login page but do not log in.
--
Peter Pearson
To get my email address, substitute:
nowhere -> spamcop, invalid -> net
|
|
Posted by Proteus on November 29, 2005, 1:38 pm
If you were Registered and logged in, you could reply and use other advanced thread options
..
> I have come across similar "secure" logins on non-secure pages, also
> questioned and was reassured, and did capture what was actually
> transmitted. It was in fact encrypted, in the case that I looked at....
Thank you everybody for the reassurance (from me and all the online
teachers I work with). I am entering a new world, trying to learn some
security stuff-- this page got me jolted to finally download and install
etheral which I did, and I barely know how to use it but I captured a
login at that page and saved it as a text file and looked for my login
name and password and could not find it. But then I am a total newbie at
etherial. But what you all say seems to confirm what i hopefully learned
also with etheral. Thanks again all!
|
|
Posted by Greg Metcalfe on December 2, 2005, 3:44 am
If you were Registered and logged in, you could reply and use other advanced thread options
<snip>
>
> I have come across similar "secure" logins on non-secure pages, also
> questioned and was reassured, and did capture what was actually
> transmitted. It was in fact encrypted, in the case that I looked at. I
> suspect that each such case of importance needs individual examination.
> It seems there are different ways to divide a page into secure and
> non-secure parts, ie. with frames or scripts.
>
It is indeed possible for a page to be assembled containing secure and
non-secure parts. Every page element you see is the result of a new HTTP
GET generated by your browser. This is far different from FTP, etc.
> The question that remains in my mind is why anyone would bother with the
> additional complexities involved in doing so, along with all the new
> possible sources of error and insecurity, especially for a simple login
> page. I'm sure those who write these pages have their reasons, but it
> seems like a bad idea to me.
You are 100% correct, IMO. I think it's bad from three different viewpoints.
1- From the secure coder's perspective: complexity is the enemy of security.
You introduce complexity *only* when you must. Full stop.
2- From an auditor's perspective: Complexity of analysis increases. You now
have an innescapable need for either a code review, or to look at what's on
the wire. To do a good job, that actually means looking at what's on the
wire. More than one system has fallen because of code correctly written,
but to an API that didn't function as per it's docs.
3- From the user's perspective: seeing a login page with http vice https in
the location bar will put many people off. Not enough, though, or this
technique would be extinct in the wild.
Cheers,
Greg
--
Greg Metcalfe
GPG fingerprint: 95B3 2BDD 9152 1E7D A240 37C1 7AE2 9B71 0065 F029
|
| Similar Threads | Posted | | Advice needed on secure remote datacenter and secure communication | August 24, 2008, 8:36 pm |
| Secure Auditor secure your windows | April 28, 2008, 6:24 am |
| Does SSL "secure" WEP? | October 13, 2006, 3:40 am |
| Which Is More Secure??? | January 4, 2007, 7:47 pm |
| is my network secure? | November 26, 2005, 11:52 pm |
| Secure passwords? | November 30, 2005, 2:45 pm |
| Is my file secure? | February 9, 2006, 4:33 pm |
| Secure web page? | February 22, 2006, 4:16 pm |
| What's up with secure-tunnel.com | May 13, 2006, 4:14 pm |
| Is Javascript Secure? | June 7, 2006, 12:11 pm |
|
XML site map