Security Basics mailing list archives
RE: Encrypted or Not Encrypted
From: "Marco M. Morana" <marco.m.morana () gmail com>
Date: Thu, 13 Nov 2008 09:33:45 -0500
Indeed this is a manual redirect initiated by the user instead of a HTTP redirect that is started by the web server (*). IMHO you need to make sure that you POST credentials via HTTPs. The form snipped in your email seems to do exactly that. A possible test to make sure you establish a secure SSL connection before sending credentials to the site is to use a web proxy (e.g. webscarab or paros) and analyze the traffic to the server. By analyzing the HTTP requests and responses you can also look at the HTTP headers to identify other issues besides information disclosure of passwords such as for example caching, the form of authentication being used (e.g. basic authentication via SSL protects credentials but is not as strong as other authentications toward network attacks, secure session management to make sure sessionsID are changed after the POST etc etc) Sorry for the web application security spin (*) http://en.wikipedia.org/wiki/URL_redirection (**) http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project (***) http://www.parosproxy.org/index.shtml Regards Marco Morana OWASP Cincinnati Chapter Leader http://www.owasp.org/index.php/Cincinnati NYC OWASP Conference is the OWASP USA Event! http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Ray Van Dolson Sent: Thursday, September 11, 2008 7:10 PM To: security-basics () securityfocus com Subject: Re: Encrypted or Not Encrypted On Thu, Sep 11, 2008 at 11:25:21AM -0700, amatachick () gmail com wrote:
I've run into this issue a few times now and would like to know what y'all think. Here is the situation: A website not using SSL has a login page. As soon as credentials are entered on this page they are redirected to a site using SSL. Here is a specific example of the code on one such site: <form name="loginpersonal" method="POST"
action="https://secure.sitename.com/engine/login/login.asp" onSubmit="return checkLoginForm(this);">
<input type=hidden name=IsPostback value=1> Now, from what I understand, the login credentials would still be unencrypted while traveling to the secure site. So that would negate the effect of having it redirect to a secure site in the first place. Right? I keep brining up this fact but all I get back is that it's being redirected so it's secure. I feel like I'm taking crazy pills here so I'd appreciate some feedback. Am I wrong? If I am I can handle that, I'd just like to know. Thanks!
When the user clicks submit above, the POST request containing the login information in the form is sent directly to the HTTPS URL in the "action" field. Redirect wouldn't really be the correct term to use here... you'd be talking directly to the HTTPS server from the moment you submit the form in this case. Ray
Current thread:
- RE: Encrypted or Not Encrypted, (continued)
- RE: Encrypted or Not Encrypted Eifrém Strinnholm Jonas (Sep 12)
- Re: Encrypted or Not Encrypted Rob (Sep 16)
- Re: Encrypted or Not Encrypted Douglas C. Duckworth (Sep 16)
- RE: Encrypted or Not Encrypted Basha, Arif (Sep 16)
- Re: Encrypted or Not Encrypted Douglas C. Duckworth (Sep 17)
- Re: Encrypted or Not Encrypted Roman Fulop (Sep 18)
- Message not available
- Re: Encrypted or Not Encrypted Roman Fulop (Sep 19)
- Re: Encrypted or Not Encrypted Rob (Sep 16)
- RE: Encrypted or Not Encrypted Eifrém Strinnholm Jonas (Sep 12)
- Re: Encrypted or Not Encrypted Rob (Sep 17)
- RE: Encrypted or Not Encrypted Boaz Shunami (Sep 17)
- RE: Encrypted or Not Encrypted Marco M. Morana (Sep 16)