is this webpage secure?

is this webpage secure?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Computer Software Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
is this webpage secure? Proteus 11-29-2005
Posted by Jeffrey F. Bloss on November 29, 2005, 1:15 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Proteus wrote:

> I am told by people in charge at the campus where I teach that this login
> page is secure, that the form login info (username, password) is secure
> when sent. But the browser page (Firefox, Mandriva Linux) info says the
> page is not encrypted, not secure. Can someone clarify how such a login
> page can securely transmit the login info? Link to login page is below:
> http://www.lsc.edu/Online/VirtualCampusLogin.cfm

It's secure enough. The login is handled by a client side script that
negotiates a connection to https://lsc.ims.mnscu.edu before the login form
data is submitted.

I suppose it might be a tad more secure to have the page that presents the
login form sent securely because someone might be able to "man in the
middle" attack that page, and replace the script with a bogus one, but if
they have that ability it's not going to be much harder to just attack the
whole HTTPS connection anyway.

--
_?_ Outside of a dog, a book is a man's best friend.
(@ @) Inside of a dog, it's too dark to read.
-oOO-(_)--OOo-------------------------------[ Groucho Marx ]--
grok! Registered Linux user #402208


Posted by Winged on November 29, 2005, 11:28 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Jeffrey F. Bloss wrote:
> Proteus wrote:
>
>
>>I am told by people in charge at the campus where I teach that this login
>>page is secure, that the form login info (username, password) is secure
>>when sent. But the browser page (Firefox, Mandriva Linux) info says the
>>page is not encrypted, not secure. Can someone clarify how such a login
>>page can securely transmit the login info? Link to login page is below:
>>http://www.lsc.edu/Online/VirtualCampusLogin.cfm
>
>
> It's secure enough. The login is handled by a client side script that
> negotiates a connection to https://lsc.ims.mnscu.edu before the login form
> data is submitted.
>
> I suppose it might be a tad more secure to have the page that presents the
> login form sent securely because someone might be able to "man in the
> middle" attack that page, and replace the script with a bogus one, but if
> they have that ability it's not going to be much harder to just attack the
> whole HTTPS connection anyway.
>
I missed the js login entry. All I noted was post method. Ignore my
previous post, it apparently was in error.

Winged

Posted by Winged on November 29, 2005, 11:13 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Proteus wrote:
> I am told by people in charge at the campus where I teach that this login
> page is secure, that the form login info (username, password) is secure
> when sent. But the browser page (Firefox, Mandriva Linux) info says the
> page is not encrypted, not secure. Can someone clarify how such a login
> page can securely transmit the login info? Link to login page is below:
> http://www.lsc.edu/Online/VirtualCampusLogin.cfm
>
>

The page is not secure for several reasons but the most glaring issue is
the password login is passed via post method in the clear. This
could be potentially intercepted using several methods or entry points.

I a school environment I would definitely change post login method being
used, it is a tempting and easy target.

Winged

Posted by traveler on December 1, 2005, 2:52 am
If you were  Registered and logged in, you could reply and use other advanced thread options
wrote:

>I am told by people in charge at the campus where I teach that this login
>page is secure, that the form login info (username, password) is secure
>when sent. But the browser page (Firefox, Mandriva Linux) info says the
>page is not encrypted, not secure. Can someone clarify how such a login
>page can securely transmit the login info? Link to login page is below:
>http://www.lsc.edu/Online/VirtualCampusLogin.cfm

Some times the page has to be opened in a new window to see the actual
encrypted (SSL) page, but it all depends on how the set up is made, if
you open in a new window and you don't see the SSL, I wouldn't trust
it.

Regards
>


Posted by Jim Watt on December 1, 2005, 3:36 am
If you were  Registered and logged in, you could reply and use other advanced thread options
wrote:

>wrote:
>
>>I am told by people in charge at the campus where I teach that this login
>>page is secure, that the form login info (username, password) is secure
>>when sent. But the browser page (Firefox, Mandriva Linux) info says the
>>page is not encrypted, not secure. Can someone clarify how such a login
>>page can securely transmit the login info? Link to login page is below:
>>http://www.lsc.edu/Online/VirtualCampusLogin.cfm
>
>Some times the page has to be opened in a new window to see the actual
>encrypted (SSL) page, but it all depends on how the set up is made, if
>you open in a new window and you don't see the SSL, I wouldn't trust
>it.

Its badly designed as although it is secure, it does not look that way
to the user.
--
Jim Watt
http://www.gibnet.com

Similar ThreadsPosted
Advice needed on secure remote datacenter and secure communication August 24, 2008, 8:36 pm
Secure Auditor secure your windows April 28, 2008, 6:24 am
Does SSL "secure" WEP? October 13, 2006, 3:40 am
Which Is More Secure??? January 4, 2007, 7:47 pm
is my network secure? November 26, 2005, 11:52 pm
Secure passwords? November 30, 2005, 2:45 pm
Is my file secure? February 9, 2006, 4:33 pm
Secure web page? February 22, 2006, 4:16 pm
What's up with secure-tunnel.com May 13, 2006, 4:14 pm
Is Javascript Secure? June 7, 2006, 12:11 pm

The site map in XML format XML site map

Contact Us | Privacy Policy