Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Computer Security (http://www.velocityreviews.com/forums/f38-computer-security.html)
-   -   is this webpage secure? (http://www.velocityreviews.com/forums/t307322-is-this-webpage-secure.html)

Proteus 11-29-2005 05:12 PM

is this webpage secure?
 
I am told by people in charge at the campus where I teach that this login
page is secure, that the form login info (username, password) is secure
when sent. But the browser page (Firefox, Mandriva Linux) info says the
page is not encrypted, not secure. Can someone clarify how such a login
page can securely transmit the login info? Link to login page is below:
http://www.lsc.edu/Online/VirtualCampusLogin.cfm



Dr Balwinder Singh Dheeman 11-29-2005 05:56 PM

Re: is this webpage secure?
 
Proteus wrote:
> I am told by people in charge at the campus where I teach that this login
> page is secure, that the form login info (username, password) is secure
> when sent. But the browser page (Firefox, Mandriva Linux) info says the
> page is not encrypted, not secure. Can someone clarify how such a login
> page can securely transmit the login info? Link to login page is below:
> http://www.lsc.edu/Online/VirtualCampusLogin.cfm


No, I don't think; you are sending clear text data via _http_ (port 80),
where as URL's for secure pages send encrypted data via _https_ (http
via ssl, port 443).

You can verify/confirm it by capturing data on port 80 and, or 443 with
help of tcpdump(8) and, or ethereal(1).

--
Dr Balwinder Singh Dheeman Registered Linux User: #229709
CLLO (Chief Linux Learning Officer) Machines: #168573, 170593, 259192
Anu's Linux@HOME Distros: Ubuntu, Fedora, Knoppix
More: http://anu.homelinux.net/~bsd/ Visit: http://counter.li.org/

Jeffrey F. Bloss 11-29-2005 06:15 PM

Re: is this webpage secure?
 
Proteus wrote:

> I am told by people in charge at the campus where I teach that this login
> page is secure, that the form login info (username, password) is secure
> when sent. But the browser page (Firefox, Mandriva Linux) info says the
> page is not encrypted, not secure. Can someone clarify how such a login
> page can securely transmit the login info? Link to login page is below:
> http://www.lsc.edu/Online/VirtualCampusLogin.cfm


It's secure enough. The login is handled by a client side script that
negotiates a connection to https://lsc.ims.mnscu.edu before the login form
data is submitted.

I suppose it might be a tad more secure to have the page that presents the
login form sent securely because someone might be able to "man in the
middle" attack that page, and replace the script with a bogus one, but if
they have that ability it's not going to be much harder to just attack the
whole HTTPS connection anyway.

--
_?_ Outside of a dog, a book is a man's best friend.
(@ @) Inside of a dog, it's too dark to read.
-oOO-(_)--OOo-------------------------------[ Groucho Marx ]--
grok! Registered Linux user #402208


Dr Balwinder Singh Dheeman 11-29-2005 06:17 PM

Re: is this webpage secure?
 
Dr Balwinder Singh Dheeman wrote:
> Proteus wrote:
>
>> I am told by people in charge at the campus where I teach that this login
>> page is secure, that the form login info (username, password) is secure
>> when sent. But the browser page (Firefox, Mandriva Linux) info says the
>> page is not encrypted, not secure. Can someone clarify how such a login
>> page can securely transmit the login info? Link to login page is below:
>> http://www.lsc.edu/Online/VirtualCampusLogin.cfm

>
>
> No, I don't think; you are sending clear text data via _http_ (port 80),
> where as URL's for secure pages send encrypted data via _https_ (http
> via ssl, port 443).
>
> You can verify/confirm it by capturing data on port 80 and, or 443 with
> help of tcpdump(8) and, or ethereal(1).


Oops! I'm sorry, I skipped checking the said page's HTML code. For
sending back user's data it is using _https_ (http via ssl, port 443) so
it will transmit encrypted data and is secure.

--
Dr Balwinder Singh Dheeman Registered Linux User: #229709
CLLO (Chief Linux Learning Officer) Machines: #168573, 170593, 259192
Anu's Linux@HOME Distros: Ubuntu, Fedora, Knoppix
More: http://anu.homelinux.net/~bsd/ Visit: http://counter.li.org/

Jeffrey F. Bloss 11-29-2005 06:18 PM

Re: is this webpage secure?
 
Dr Balwinder Singh Dheeman wrote:

> Proteus wrote:
>> I am told by people in charge at the campus where I teach that this
>> login page is secure, that the form login info (username, password) is
>> secure when sent. But the browser page (Firefox, Mandriva Linux) info
>> says the page is not encrypted, not secure. Can someone clarify how such
>> a login page can securely transmit the login info? Link to login page is
>> below: http://www.lsc.edu/Online/VirtualCampusLogin.cfm

>
> No, I don't think; you are sending clear text data via _http_ (port 80),
> where as URL's for secure pages send encrypted data via _https_ (http via
> ssl, port 443).


Just to clarify, the login form is built this way...

<form action="https://lsc.ims.mnscu.edu/d2l/Tools/login/doLogin.asp"
method="post" ... >

doLogin.asp is essentially a bit of JavaScript that does this among other
things...

form.action = 'https://lsc.ims.mnscu.edu';
[...]
form.submit();

A secure connection is negotiated before any form data is submitted, so
nothing but the form and the login script is sent in the clear, to the
site's visitor. No names or passwords or anything go back the other way
unencrypted.

FWIW, I did packet capture a (failed) session just to make sure nothing
was broken. ;)

--
_?_ Outside of a dog, a book is a man's best friend.
(@ @) Inside of a dog, it's too dark to read.
-oOO-(_)--OOo-------------------------------[ Groucho Marx ]--
grok! Registered Linux user #402208


David H. Lipman 11-29-2005 06:20 PM

Re: is this webpage secure?
 
From: "Dr Balwinder Singh Dheeman" <bsd.SANSPAM@sebs.org.in>

| Proteus wrote:
>> I am told by people in charge at the campus where I teach that this login
>> page is secure, that the form login info (username, password) is secure
>> when sent. But the browser page (Firefox, Mandriva Linux) info says the
>> page is not encrypted, not secure. Can someone clarify how such a login
>> page can securely transmit the login info? Link to login page is below:
>> http://www.lsc.edu/Online/VirtualCampusLogin.cfm

|
| No, I don't think; you are sending clear text data via _http_ (port 80),
| where as URL's for secure pages send encrypted data via _https_ (http
| via ssl, port 443).
|
| You can verify/confirm it by capturing data on port 80 and, or 443 with
| help of tcpdump(8) and, or ethereal(1).
|

I just used Ethereal and the packet decode does show https (443) to 199.17.13.240

It shows "Client Key Exchange, Change Cipher Spec., Encrypted Handshake Message"

I couldn't see a Clear Text of my faux Username and Password

Looking at the HTML source I find...

https://lsc.ims.mnscu.edu/d2l/Tools/login/doLogin.asp" method="post"
name="processLogonForm"><br/><label for="userName">Username:</label>&nbsp;&nbsp; <input
id="userName" name="userName" size="10"/> <br/><br/><label
for="password">Password:</label>&nbsp;&nbsp;&nbsp; <input id="password" name="password"
size="10" type="password"/> <br/><br/><input name="Login" type="submit"/></form><div
align="right"><p class="toplinks"><a href="login.cfm">having problems?</a></p>
</div></td>

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Newsbox 11-29-2005 06:25 PM

Re: is this webpage secure?
 
On Tue, 29 Nov 2005 23:26:32 +0530, Dr Balwinder Singh Dheeman wrote:

> Proteus wrote:
>> I am told by people in charge at the campus where I teach that this login
>> page is secure, that the form login info (username, password) is secure
>> when sent. But the browser page (Firefox, Mandriva Linux) info says the
>> page is not encrypted, not secure. Can someone clarify how such a login
>> page can securely transmit the login info? Link to login page is below:
>> http://www.lsc.edu/Online/VirtualCampusLogin.cfm

>
> No, I don't think; you are sending clear text data via _http_ (port 80),
> where as URL's for secure pages send encrypted data via _https_ (http
> via ssl, port 443).
>
> You can verify/confirm it by capturing data on port 80 and, or 443 with
> help of tcpdump(8) and, or ethereal(1).


I have come across similar "secure" logins on non-secure pages, also
questioned and was reassured, and did capture what was actually
transmitted. It was in fact encrypted, in the case that I looked at. I
suspect that each such case of importance needs individual examination.
It seems there are different ways to divide a page into secure and
non-secure parts, ie. with frames or scripts.

The question that remains in my mind is why anyone would bother with the
additional complexities involved in doing so, along with all the new
possible sources of error and insecurity, especially for a simple login
page. I'm sure those who write these pages have their reasons, but it
seems like a bad idea to me.

Peter Pearson 11-29-2005 06:27 PM

Re: is this webpage secure?
 
Jeffrey F. Bloss wrote:
> Dr Balwinder Singh Dheeman wrote:
>> Proteus wrote:
>>> I am told by people in charge at the campus where I teach that this
>>> login page is secure, that the form login info (username, password) is
>>> secure when sent. But the browser page (Firefox, Mandriva Linux) info
>>> says the page is not encrypted, not secure. Can someone clarify how such
>>> a login page can securely transmit the login info? Link to login page is
>>> below: http://www.lsc.edu/Online/VirtualCampusLogin.cfm

> Just to clarify, the login form is built this way...
>
> <form action="https://lsc.ims.mnscu.edu/d2l/Tools/login/doLogin.asp"
> method="post" ... >
>
> doLogin.asp is essentially a bit of JavaScript that does this among other
> things...
>
> form.action = 'https://lsc.ims.mnscu.edu';
> [...]
> form.submit();
>
> A secure connection is negotiated before any form data is submitted, so
> nothing but the form and the login script is sent in the clear, to the
> site's visitor. No names or passwords or anything go back the other way
> unencrypted.


Thank you for the explanation, and thanks to Proteus for
brining it up. This is something I've wondered about for
a long time.

I used snort to capture the session, and saw that port 443
quickly came into play, and saw something resembling a
certificate go past ("$Equifax Secure Certificate Authority0...0504211"),
and noted that my "bait" username and password did not
appear in the clear.

--
Peter Pearson
To get my email address, substitute:
nowhere -> spamcop, invalid -> net


Peter Pearson 11-29-2005 06:33 PM

Re: is this webpage secure?
 
Newsbox wrote:
> The question that remains in my mind is why anyone would bother with the
> additional complexities involved in doing so, along with all the new
> possible sources of error and insecurity, especially for a simple login
> page. I'm sure those who write these pages have their reasons, but it
> seems like a bad idea to me.


I agree that straightforward tends to be better. I believe
the motivation is saving the processing power that would
be spent setting up secure sessions for people who come to
the login page but do not log in.

--
Peter Pearson
To get my email address, substitute:
nowhere -> spamcop, invalid -> net


Proteus 11-29-2005 06:38 PM

Re: is this webpage secure?
 
On Tue, 29 Nov 2005 13:25:33 -0500, Newsbox wrote:
...
> I have come across similar "secure" logins on non-secure pages, also
> questioned and was reassured, and did capture what was actually
> transmitted. It was in fact encrypted, in the case that I looked at....


Thank you everybody for the reassurance (from me and all the online
teachers I work with). I am entering a new world, trying to learn some
security stuff-- this page got me jolted to finally download and install
etheral which I did, and I barely know how to use it but I captured a
login at that page and saved it as a text file and looked for my login
name and password and could not find it. But then I am a total newbie at
etherial. But what you all say seems to confirm what i hopefully learned
also with etheral. Thanks again all!



All times are GMT. The time now is 05:08 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.