is this webpage secure?
This is a discussion on is this webpage secure? within the Linux Security forums, part of the System Security and Security Related category; I am told by people in charge at the campus where I teach that this login page is secure, that ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
11-29-2005
|
|||
|
|||
is this webpage secure?
I am told by people in charge at the campus where I teach that this login
page is secure, that the form login info (username, password) is secure when sent. But the browser page (Firefox, Mandriva Linux) info says the page is not encrypted, not secure. Can someone clarify how such a login page can securely transmit the login info? Link to login page is below: http://www.lsc.edu/Online/VirtualCampusLogin.cfm 
|
|
11-29-2005
|
|||
|
|||
|
Re: is this webpage secure?
Proteus wrote:
> I am told by people in charge at the campus where I teach that this login > page is secure, that the form login info (username, password) is secure > when sent. But the browser page (Firefox, Mandriva Linux) info says the > page is not encrypted, not secure. Can someone clarify how such a login > page can securely transmit the login info? Link to login page is below: > http://www.lsc.edu/Online/VirtualCampusLogin.cfm No, I don't think; you are sending clear text data via _http_ (port 80), where as URL's for secure pages send encrypted data via _https_ (http via ssl, port 443). You can verify/confirm it by capturing data on port 80 and, or 443 with help of tcpdump(8) and, or ethereal(1). -- Dr Balwinder Singh Dheeman Registered Linux User: #229709 CLLO (Chief Linux Learning Officer) Machines: #168573, 170593, 259192 Anu's Linux@HOME Distros: Ubuntu, Fedora, Knoppix More: http://anu.homelinux.net/~bsd/ Visit: http://counter.li.org/
|
|
11-29-2005
|
|||
|
|||
|
Re: is this webpage secure?
Proteus wrote:
> I am told by people in charge at the campus where I teach that this login > page is secure, that the form login info (username, password) is secure > when sent. But the browser page (Firefox, Mandriva Linux) info says the > page is not encrypted, not secure. Can someone clarify how such a login > page can securely transmit the login info? Link to login page is below: > http://www.lsc.edu/Online/VirtualCampusLogin.cfm It's secure enough. The login is handled by a client side script that negotiates a connection to https://lsc.ims.mnscu.edu before the login form data is submitted. I suppose it might be a tad more secure to have the page that presents the login form sent securely because someone might be able to "man in the middle" attack that page, and replace the script with a bogus one, but if they have that ability it's not going to be much harder to just attack the whole HTTPS connection anyway. -- _?_ Outside of a dog, a book is a man's best friend. (@ @) Inside of a dog, it's too dark to read. -oOO-(_)--OOo-------------------------------[ Groucho Marx ]-- grok! Registered Linux user #402208
|
|
11-29-2005
|
|||
|
|||
|
Re: is this webpage secure?
Dr Balwinder Singh Dheeman wrote:
> Proteus wrote: > >> I am told by people in charge at the campus where I teach that this login >> page is secure, that the form login info (username, password) is secure >> when sent. But the browser page (Firefox, Mandriva Linux) info says the >> page is not encrypted, not secure. Can someone clarify how such a login >> page can securely transmit the login info? Link to login page is below: >> http://www.lsc.edu/Online/VirtualCampusLogin.cfm > > > No, I don't think; you are sending clear text data via _http_ (port 80), > where as URL's for secure pages send encrypted data via _https_ (http > via ssl, port 443). > > You can verify/confirm it by capturing data on port 80 and, or 443 with > help of tcpdump(8) and, or ethereal(1). Oops! I'm sorry, I skipped checking the said page's HTML code. For sending back user's data it is using _https_ (http via ssl, port 443) so it will transmit encrypted data and is secure. -- Dr Balwinder Singh Dheeman Registered Linux User: #229709 CLLO (Chief Linux Learning Officer) Machines: #168573, 170593, 259192 Anu's Linux@HOME Distros: Ubuntu, Fedora, Knoppix More: http://anu.homelinux.net/~bsd/ Visit: http://counter.li.org/
|
|
11-29-2005
|
|||
|
|||
|
Re: is this webpage secure?
Dr Balwinder Singh Dheeman wrote:
> Proteus wrote: >> I am told by people in charge at the campus where I teach that this >> login page is secure, that the form login info (username, password) is >> secure when sent. But the browser page (Firefox, Mandriva Linux) info >> says the page is not encrypted, not secure. Can someone clarify how such >> a login page can securely transmit the login info? Link to login page is >> below: http://www.lsc.edu/Online/VirtualCampusLogin.cfm > > No, I don't think; you are sending clear text data via _http_ (port 80), > where as URL's for secure pages send encrypted data via _https_ (http via > ssl, port 443). Just to clarify, the login form is built this way... <form action="https://lsc.ims.mnscu.edu/d2l/Tools/login/doLogin.asp" method="post" ... > doLogin.asp is essentially a bit of JavaScript that does this among other things... form.action = 'https://lsc.ims.mnscu.edu'; [...] form.submit(); A secure connection is negotiated before any form data is submitted, so nothing but the form and the login script is sent in the clear, to the site's visitor. No names or passwords or anything go back the other way unencrypted. FWIW, I did packet capture a (failed) session just to make sure nothing was broken. ;) -- _?_ Outside of a dog, a book is a man's best friend. (@ @) Inside of a dog, it's too dark to read. -oOO-(_)--OOo-------------------------------[ Groucho Marx ]-- grok! Registered Linux user #402208
|
|
11-29-2005
|
|||
|
|||
|
Re: is this webpage secure?
From: "Dr Balwinder Singh Dheeman" <bsd.SANSPAM@sebs.org.in>
| Proteus wrote: >> I am told by people in charge at the campus where I teach that this login >> page is secure, that the form login info (username, password) is secure >> when sent. But the browser page (Firefox, Mandriva Linux) info says the >> page is not encrypted, not secure. Can someone clarify how such a login >> page can securely transmit the login info? Link to login page is below: >> http://www.lsc.edu/Online/VirtualCampusLogin.cfm | | No, I don't think; you are sending clear text data via _http_ (port 80), | where as URL's for secure pages send encrypted data via _https_ (http | via ssl, port 443). | | You can verify/confirm it by capturing data on port 80 and, or 443 with | help of tcpdump(8) and, or ethereal(1). | I just used Ethereal and the packet decode does show https (443) to 199.17.13.240 It shows "Client Key Exchange, Change Cipher Spec., Encrypted Handshake Message" I couldn't see a Clear Text of my faux Username and Password Looking at the HTML source I find... https://lsc.ims.mnscu.edu/d2l/Tools/login/doLogin.asp" method="post" name="processLogonForm"><br/><label for="userName">Username:</label> <input id="userName" name="userName" size="10"/> <br/><br/><label for="password">Password:</label> <input id="password" name="password" size="10" type="password"/> <br/><br/><input name="Login" type="submit"/></form><div align="right"><p class="toplinks"><a href="login.cfm">having problems?</a></p> </div></td> -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm
|
|
11-29-2005
|
|||
|
|||
|
Re: is this webpage secure?
On Tue, 29 Nov 2005 23:26:32 +0530, Dr Balwinder Singh Dheeman wrote:
> Proteus wrote: >> I am told by people in charge at the campus where I teach that this login >> page is secure, that the form login info (username, password) is secure >> when sent. But the browser page (Firefox, Mandriva Linux) info says the >> page is not encrypted, not secure. Can someone clarify how such a login >> page can securely transmit the login info? Link to login page is below: >> http://www.lsc.edu/Online/VirtualCampusLogin.cfm > > No, I don't think; you are sending clear text data via _http_ (port 80), > where as URL's for secure pages send encrypted data via _https_ (http > via ssl, port 443). > > You can verify/confirm it by capturing data on port 80 and, or 443 with > help of tcpdump(8) and, or ethereal(1). I have come across similar "secure" logins on non-secure pages, also questioned and was reassured, and did capture what was actually transmitted. It was in fact encrypted, in the case that I looked at. I suspect that each such case of importance needs individual examination. It seems there are different ways to divide a page into secure and non-secure parts, ie. with frames or scripts. The question that remains in my mind is why anyone would bother with the additional complexities involved in doing so, along with all the new possible sources of error and insecurity, especially for a simple login page. I'm sure those who write these pages have their reasons, but it seems like a bad idea to me.
|
|
11-29-2005
|
|||
|
|||
|
Re: is this webpage secure?
Jeffrey F. Bloss wrote:
> Dr Balwinder Singh Dheeman wrote: >> Proteus wrote: >>> I am told by people in charge at the campus where I teach that this >>> login page is secure, that the form login info (username, password) is >>> secure when sent. But the browser page (Firefox, Mandriva Linux) info >>> says the page is not encrypted, not secure. Can someone clarify how such >>> a login page can securely transmit the login info? Link to login page is >>> below: http://www.lsc.edu/Online/VirtualCampusLogin.cfm > Just to clarify, the login form is built this way... > > <form action="https://lsc.ims.mnscu.edu/d2l/Tools/login/doLogin.asp" > method="post" ... > > > doLogin.asp is essentially a bit of JavaScript that does this among other > things... > > form.action = 'https://lsc.ims.mnscu.edu'; > [...] > form.submit(); > > A secure connection is negotiated before any form data is submitted, so > nothing but the form and the login script is sent in the clear, to the > site's visitor. No names or passwords or anything go back the other way > unencrypted. Thank you for the explanation, and thanks to Proteus for brining it up. This is something I've wondered about for a long time. I used snort to capture the session, and saw that port 443 quickly came into play, and saw something resembling a certificate go past ("$Equifax Secure Certificate Authority0...0504211"), and noted that my "bait" username and password did not appear in the clear. -- Peter Pearson To get my email address, substitute: nowhere -> spamcop, invalid -> net
|
|
11-29-2005
|
|||
|
|||
|
Re: is this webpage secure?
Newsbox wrote:
> The question that remains in my mind is why anyone would bother with the > additional complexities involved in doing so, along with all the new > possible sources of error and insecurity, especially for a simple login > page. I'm sure those who write these pages have their reasons, but it > seems like a bad idea to me. I agree that straightforward tends to be better. I believe the motivation is saving the processing power that would be spent setting up secure sessions for people who come to the login page but do not log in. -- Peter Pearson To get my email address, substitute: nowhere -> spamcop, invalid -> net
|
|
11-29-2005
|
|||
|
|||
|
Re: is this webpage secure?
On Tue, 29 Nov 2005 13:25:33 -0500, Newsbox wrote:
... > I have come across similar "secure" logins on non-secure pages, also > questioned and was reassured, and did capture what was actually > transmitted. It was in fact encrypted, in the case that I looked at.... Thank you everybody for the reassurance (from me and all the online teachers I work with). I am entering a new world, trying to learn some security stuff-- this page got me jolted to finally download and install etheral which I did, and I barely know how to use it but I captured a login at that page and saved it as a text file and looked for my login name and password and could not find it. But then I am a total newbie at etherial. But what you all say seems to confirm what i hopefully learned also with etheral. Thanks again all!
|
Linear Mode
