Security Basics mailing list archives

RE: Encrypted or Not Encrypted

From: "Basha, Arif" <abasha () apa org>
Date: Tue, 16 Sep 2008 15:23:02 -0400

I think Rob is talking about the difference similar to the two following sites:

http://wachovia.com/

and

https://onlineservices.wachovia.com/auth/AuthService?action=presentLogin&url=https%3a//onlineservices.wachovia.com/NASApp/NavApp/Titanium%3faction%3dreturnHome

So if you enter the password on the first URL, is it secured on its way to the second URL, where the SSL handshake is 
initiated from?




-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Douglas C. Duckworth
Sent: Tuesday, September 16, 2008 12:36 PM
To: Rob
Cc: Eifrém Strinnholm Jonas; <amatachick () gmail com>; <security-basics () securityfocus com>
Subject: Re: Encrypted or Not Encrypted

If you connect with SSL, you perform the handshake first.  Thereafter 
all data is encrypted.  You don't send your password first.  That would 
make no sense since the data is viewable as plain text. 

More information:

http://www.schneier.com/paper-ssl.pdf

Rob wrote:

So how are the credentials protected in network transit to the secure 
site?  The way you explain it, I see the creds being exposed on their 
way to the secure site.

Optimally they should enter their creds after ssl has setup the secure 
session, not after..

What am I missing?

Rob

Sent from my iPhone

On Sep 12, 2008, at 6:44 AM, Eifrém Strinnholm Jonas 
<Jonas.Eifrem () sweco se> wrote:

Encrypted.

-----Original Message-----
From: listbounce () securityfocus com 
[mailto:listbounce () securityfocus com] On
Behalf Of amatachick () gmail com
Sent: den 11 september 2008 20:25
To: security-basics () securityfocus com
Subject: Encrypted or Not Encrypted

I've run into this issue a few times now and would like to know what 
y'all
think. Here is the situation: A website not using SSL has a login 
page. As
soon as credentials are entered on this page they are redirected to a 
site
using SSL. Here is a specific example of the code on one such site:

<form name="loginpersonal" method="POST"
action="https://secure.sitename.com/engine/login/login.asp"; 
onSubmit="return
checkLoginForm(this);">

  <input type=hidden name=IsPostback value=1>

Now, from what I understand, the login credentials would still be
unencrypted while traveling to the secure site. So that would negate the
effect of having it redirect to a secure site in the first place. 
Right? I
keep brining up this fact but all I get back is that it's being 
redirected
so it's secure. I feel like I'm taking crazy pills here so I'd 
appreciate
some feedback. Am I wrong? If I am I can handle that, I'd just like 
to know.
Thanks!

Current thread:

Encrypted or Not Encrypted amatachick (Sep 11)
- Re: Encrypted or Not Encrypted Roman Fulop (Sep 12)
  - Re: Encrypted or Not Encrypted Gregory Rubin (Sep 16)
- Re: Encrypted or Not Encrypted Garry Baker (Sep 12)
- RE: Encrypted or Not Encrypted Eifrém Strinnholm Jonas (Sep 12)
  - Re: Encrypted or Not Encrypted Rob (Sep 16)
    - Re: Encrypted or Not Encrypted Douglas C. Duckworth (Sep 16)
    - RE: Encrypted or Not Encrypted Basha, Arif (Sep 16)
    - Re: Encrypted or Not Encrypted Douglas C. Duckworth (Sep 17)
    - Re: Encrypted or Not Encrypted Roman Fulop (Sep 18)
    - Message not available
    - Re: Encrypted or Not Encrypted Roman Fulop (Sep 19)
    - Re: Encrypted or Not Encrypted Rob (Sep 17)
    - RE: Encrypted or Not Encrypted Boaz Shunami (Sep 17)
- Re: Encrypted or Not Encrypted Ray Van Dolson (Sep 12)
  - RE: Encrypted or Not Encrypted Marco M. Morana (Sep 16)
- <Possible follow-ups>
- Re: Encrypted or Not Encrypted ab_e (Sep 12)
- Re: Encrypted or Not Encrypted krymson (Sep 12)
- Re: Encrypted or Not Encrypted robert (Sep 12)

(Thread continues...)