Re: is this webpage secure? - Security

This is a discussion on Re: is this webpage secure? - Security ; On Tue, 29 Nov 2005 23:26:32 +0530, Dr Balwinder Singh Dheeman wrote: > Proteus wrote: >> I am told by people in charge at the campus where I teach that this login >> page is secure, that the form login ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Re: is this webpage secure?

  1. Re: is this webpage secure?

    On Tue, 29 Nov 2005 23:26:32 +0530, Dr Balwinder Singh Dheeman wrote:

    > Proteus wrote:
    >> I am told by people in charge at the campus where I teach that this login
    >> page is secure, that the form login info (username, password) is secure
    >> when sent. But the browser page (Firefox, Mandriva Linux) info says the
    >> page is not encrypted, not secure. Can someone clarify how such a login
    >> page can securely transmit the login info? Link to login page is below:
    >> http://www.lsc.edu/Online/VirtualCampusLogin.cfm

    >
    > No, I don't think; you are sending clear text data via _http_ (port 80),
    > where as URL's for secure pages send encrypted data via _https_ (http
    > via ssl, port 443).
    >
    > You can verify/confirm it by capturing data on port 80 and, or 443 with
    > help of tcpdump(8) and, or ethereal(1).


    I have come across similar "secure" logins on non-secure pages, also
    questioned and was reassured, and did capture what was actually
    transmitted. It was in fact encrypted, in the case that I looked at. I
    suspect that each such case of importance needs individual examination.
    It seems there are different ways to divide a page into secure and
    non-secure parts, ie. with frames or scripts.

    The question that remains in my mind is why anyone would bother with the
    additional complexities involved in doing so, along with all the new
    possible sources of error and insecurity, especially for a simple login
    page. I'm sure those who write these pages have their reasons, but it
    seems like a bad idea to me.

  2. Re: is this webpage secure?

    Newsbox wrote:
    > The question that remains in my mind is why anyone would bother with the
    > additional complexities involved in doing so, along with all the new
    > possible sources of error and insecurity, especially for a simple login
    > page. I'm sure those who write these pages have their reasons, but it
    > seems like a bad idea to me.


    I agree that straightforward tends to be better. I believe
    the motivation is saving the processing power that would
    be spent setting up secure sessions for people who come to
    the login page but do not log in.

    --
    Peter Pearson
    To get my email address, substitute:
    nowhere -> spamcop, invalid -> net


  3. Re: is this webpage secure?

    On Tue, 29 Nov 2005 13:25:33 -0500, Newsbox wrote:
    ...
    > I have come across similar "secure" logins on non-secure pages, also
    > questioned and was reassured, and did capture what was actually
    > transmitted. It was in fact encrypted, in the case that I looked at....


    Thank you everybody for the reassurance (from me and all the online
    teachers I work with). I am entering a new world, trying to learn some
    security stuff-- this page got me jolted to finally download and install
    etheral which I did, and I barely know how to use it but I captured a
    login at that page and saved it as a text file and looked for my login
    name and password and could not find it. But then I am a total newbie at
    etherial. But what you all say seems to confirm what i hopefully learned
    also with etheral. Thanks again all!


  4. Re: is this webpage secure?

    Newsbox wrote:


    >
    > I have come across similar "secure" logins on non-secure pages, also
    > questioned and was reassured, and did capture what was actually
    > transmitted. It was in fact encrypted, in the case that I looked at. I
    > suspect that each such case of importance needs individual examination.
    > It seems there are different ways to divide a page into secure and
    > non-secure parts, ie. with frames or scripts.
    >

    It is indeed possible for a page to be assembled containing secure and
    non-secure parts. Every page element you see is the result of a new HTTP
    GET generated by your browser. This is far different from FTP, etc.

    > The question that remains in my mind is why anyone would bother with the
    > additional complexities involved in doing so, along with all the new
    > possible sources of error and insecurity, especially for a simple login
    > page. I'm sure those who write these pages have their reasons, but it
    > seems like a bad idea to me.


    You are 100% correct, IMO. I think it's bad from three different viewpoints.
    1- From the secure coder's perspective: complexity is the enemy of security.
    You introduce complexity *only* when you must. Full stop.
    2- From an auditor's perspective: Complexity of analysis increases. You now
    have an innescapable need for either a code review, or to look at what's on
    the wire. To do a good job, that actually means looking at what's on the
    wire. More than one system has fallen because of code correctly written,
    but to an API that didn't function as per it's docs.
    3- From the user's perspective: seeing a login page with http vice https in
    the location bar will put many people off. Not enough, though, or this
    technique would be extinct in the wild.

    Cheers,
    Greg

    --
    Greg Metcalfe
    GPG fingerprint: 95B3 2BDD 9152 1E7D A240 37C1 7AE2 9B71 0065 F029

+ Reply to Thread