|
Posted by on June 11, 2005, 11:04 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Hi,
I've just been learning how to use Ethereal and have been looking at
how authentication is handled by various websites. I found that
bloglines.com sends your username and password as clear text. Is this
normal practice, and is it particularly irresponsible (the answer can
be yes to both questions at once)? They don't have your bank account
number or anything extremely sensitive like that, but probably half of
the users have the same username/passwords for other sites that you do.
|
|
Posted by DarbyCrash on June 12, 2005, 6:16 pm
If you were Registered and logged in, you could reply and use other advanced thread options
I think it is irresposible in this day and age, especially when so many
better solutions exist. Network sniffing is so common now. In the past,
you at least had to have some skill to understand a network sniffer to
steal passwords. Now, any 13 year old script kiddie can download one of
a thousand password sniffers and start stealing your information.
Publicly accessible networks like wireless hotspots, college/school
networks, public libraries and internet cafes only make the issue more
urgent. My girlfriend was going to one of the big universities here in
Chicago and asked me one day how safe was it logging on to her personal
email accounts through her schools network. Curious to find out myself,
I fired up Ethereal on her WinXP PC and was totally suprised to find
out we were not on a switched network. I could see all the traffic on
my physical segment of the network. I downloaded a Windows password
sniffing utility thats popular with the script kiddies called Cain,
just to see what it would capture. I was shocked at what it found.
Within hours it had captured over 50 plain-text passwords. Even the
university's own internal pages that allowed access to students
personal information were authenticated in plain-text. Something as
simple as just authenticating over a SSL connection would be infinitely
better than no protection at all.
|
|
Posted by Thor Kottelin on June 12, 2005, 8:34 pm
If you were Registered and logged in, you could reply and use other advanced thread options
rsheridan6@gmail.com wrote:
> I found that
> bloglines.com sends your username and password as clear text. Is this
> normal practice, and is it particularly irresponsible (the answer can
> be yes to both questions at once)?
It (including base-64 basic authentication) is very common, which is why I'd
stop short of calling it "particularly" irresponsible.
However, IMO web sites requiring authorization should use an encrypted
connection, which should be protected by using a generally recognized
certificate. Granted, many users would still fall for a MITM attack, but
performing one is much more complicated than grabbing the plain text or
base-64 passwords off the line.
Thor
--
http://www.anta.net/OH2GDF
|
|
Posted by shrike@cyberspace.org on June 15, 2005, 5:59 am
If you were Registered and logged in, you could reply and use other advanced thread options
> Hi,
>
> I've just been learning how to use Ethereal and have been looking at
> how authentication is handled by various websites. I found that
> bloglines.com sends your username and password as clear text. Is this
> normal practice, and is it particularly irresponsible (the answer can
> be yes to both questions at once)? They don't have your bank account
> number or anything extremely sensitive like that, but probably half of
> the users have the same username/passwords for other sites that you do.
Howdy,
Yes it is irresponsible, yes it is fairly common practice. You many
want to poke through your cookies sometime as well. It's amazing how
many cookies store authentication information that is usable in a
replay attack.
It's just a matter of lazyness and site managers not doing the due
dilligence to protect their customers interests. SSL-izing the website
would prevent sniffing, that doesn't even require any code, just
properly configuring the server.
Open source modules are available for doing this correctly even using
straight port 80 tcp, and take very little additional effort to
implement.
-FWIW
-Matt
|
| Similar Threads | Posted | | Best Practices for Security definitions | March 18, 2008, 6:25 am |
| BS7799-3 Security Risk Management Standard Released Today | March 16, 2006, 7:44 am |
| Identity Management Best Practices | July 14, 2006, 5:16 pm |
| Standard encrypted file format? | December 15, 2006, 7:38 am |
| Best Practices for secure delivery / transportation of physical media (tapes, CDs, etc.) | April 24, 2007, 4:13 pm |
| BS25999-2 Business Continuity Standard Published Today | November 20, 2007, 6:43 am |
| Novice Questions: Non-Standard Service Listening on Port/Firewalls | August 18, 2004, 2:12 pm |
| Single Signon cookie encryption - industry standard/best practice? | August 24, 2004, 9:34 pm |
| Case Security Question | September 28, 2005, 6:29 pm |
| advapi.dll security question | August 9, 2006, 7:22 am |
|
XML site map