Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Is it possible at all to secure an unencrypted website?

Reply
Thread Tools

Is it possible at all to secure an unencrypted website?

 
 
LenaMsdn08
Guest
Posts: n/a
 
      02-07-2009
We recently had this discussion at work - someone had suggested implementing
single sign-on by passing a random 32-byte key in the query string and match
it against a database that is used by both applications. Both sites are
written in ASP.NET 1.1

It was pointed out that passing this key in the query string was a huge
security hole; anyone who intercepted the request on the Internet could then
use the key to log in.

On the other hand, wouldn't any unencrypted (using http, not https) website
be vulnerable pretty much no matter what you do? For example, even if the
session object is server-side, isn't the cookie that stores the session ID
passed in the HTTP request, so just as well as intercepting the query string,
couldn't someone intercept the cookie and hijack the session?

(My apologies for the lack of correct terminology in this post.)
 
Reply With Quote
 
 
 
 
Joe Kaplan
Guest
Posts: n/a
 
      02-07-2009
Your analysis is correct. If you want it to be secure, you really need to
consider SSL. Session cookies or cookies that supply authentication
information are just as easily intercepted as query string parameters if the
plaintext HTTP data can be sniffed.


--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"LenaMsdn08" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> We recently had this discussion at work - someone had suggested
> implementing
> single sign-on by passing a random 32-byte key in the query string and
> match
> it against a database that is used by both applications. Both sites are
> written in ASP.NET 1.1
>
> It was pointed out that passing this key in the query string was a huge
> security hole; anyone who intercepted the request on the Internet could
> then
> use the key to log in.
>
> On the other hand, wouldn't any unencrypted (using http, not https)
> website
> be vulnerable pretty much no matter what you do? For example, even if the
> session object is server-side, isn't the cookie that stores the session ID
> passed in the HTTP request, so just as well as intercepting the query
> string,
> couldn't someone intercept the cookie and hijack the session?
>
> (My apologies for the lack of correct terminology in this post.)


 
Reply With Quote
 
 
 
 
LenaMsdn08
Guest
Posts: n/a
 
      02-07-2009
Joe,

Thank you for the information and for getting back to me so quickly - I'll
have to do some more thinking about our site, apparently.

More or less thinking out loud ...

Noticed when I went in to check the newsgroup, that for example the MSDN
login and subscriber download pages are secure, but the MSDN home page and
many other pages without sensitive content are not, which makes sense (secure
pages are slower).

The top right of the page says "Welcome Lena" and "Sign Out" so MSDN must
see me as logged in ... but I assume it's not actually passing any
authentication information on these pages, where someone could intercept it
and use to access the secure download page. I'm sure Microsoft wouldn't let
anyone break in so easily and steal expensive software

Comparing to something I noticed on another website I worked on a long time
ago ... most of the site was unsecure but there were some secure pages, and
the secure and unsecure parts used different ASP Session IDs. That would take
care of keeping the unsecure pages from giving away authentication data for
the secure pages, wouldn't it?

I'm sure there is more to it than that, of course ... I'll work away on it
and see what I can find.

Thank you again for the information, it was helpful!



"Joe Kaplan" wrote:

> Your analysis is correct. If you want it to be secure, you really need to
> consider SSL. Session cookies or cookies that supply authentication
> information are just as easily intercepted as query string parameters if the
> plaintext HTTP data can be sniffed.
>
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services Programming"
> http://www.directoryprogramming.net
> "LenaMsdn08" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > We recently had this discussion at work - someone had suggested
> > implementing
> > single sign-on by passing a random 32-byte key in the query string and
> > match
> > it against a database that is used by both applications. Both sites are
> > written in ASP.NET 1.1
> >
> > It was pointed out that passing this key in the query string was a huge
> > security hole; anyone who intercepted the request on the Internet could
> > then
> > use the key to log in.
> >
> > On the other hand, wouldn't any unencrypted (using http, not https)
> > website
> > be vulnerable pretty much no matter what you do? For example, even if the
> > session object is server-side, isn't the cookie that stores the session ID
> > passed in the HTTP request, so just as well as intercepting the query
> > string,
> > couldn't someone intercept the cookie and hijack the session?
> >
> > (My apologies for the lack of correct terminology in this post.)

>
>

 
Reply With Quote
 
Joe Kaplan
Guest
Posts: n/a
 
      02-07-2009
Amazon also is a good example of maintaining some notion of who you are but
switching to secure mode for actual ordering operations and other similar
stuff.

Once way to do this is to ensure that your actual authentication cookies are
set with the Secure flag so the browser will only return them on a secure
channel. You could have a personalization cookie that cannot be used to
access secure resources that still indicates who the user is.

Essentially, this type of thing needs to be designed thoughtfully to be
effective. Microsoft has some good guidance around developing threat models
to help you understand what the threats are and how to mitigate them.

And yes, if you use gmail without HTTPS, someone can steal your
authentication information and possibly read your mail. I recommend you not
do that.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"LenaMsdn08" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Joe,
>
> Thank you for the information and for getting back to me so quickly - I'll
> have to do some more thinking about our site, apparently.
>
> More or less thinking out loud ...
>
> Noticed when I went in to check the newsgroup, that for example the MSDN
> login and subscriber download pages are secure, but the MSDN home page and
> many other pages without sensitive content are not, which makes sense
> (secure
> pages are slower).
>
> The top right of the page says "Welcome Lena" and "Sign Out" so MSDN must
> see me as logged in ... but I assume it's not actually passing any
> authentication information on these pages, where someone could intercept
> it
> and use to access the secure download page. I'm sure Microsoft wouldn't
> let
> anyone break in so easily and steal expensive software
>
> Comparing to something I noticed on another website I worked on a long
> time
> ago ... most of the site was unsecure but there were some secure pages,
> and
> the secure and unsecure parts used different ASP Session IDs. That would
> take
> care of keeping the unsecure pages from giving away authentication data
> for
> the secure pages, wouldn't it?
>
> I'm sure there is more to it than that, of course ... I'll work away on it
> and see what I can find.
>
> Thank you again for the information, it was helpful!
>
>
>
> "Joe Kaplan" wrote:
>
>> Your analysis is correct. If you want it to be secure, you really need
>> to
>> consider SSL. Session cookies or cookies that supply authentication
>> information are just as easily intercepted as query string parameters if
>> the
>> plaintext HTTP data can be sniffed.
>>
>>
>> --
>> Joe Kaplan-MS MVP Directory Services Programming
>> Co-author of "The .NET Developer's Guide to Directory Services
>> Programming"
>> http://www.directoryprogramming.net
>> "LenaMsdn08" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>> > We recently had this discussion at work - someone had suggested
>> > implementing
>> > single sign-on by passing a random 32-byte key in the query string and
>> > match
>> > it against a database that is used by both applications. Both sites are
>> > written in ASP.NET 1.1
>> >
>> > It was pointed out that passing this key in the query string was a huge
>> > security hole; anyone who intercepted the request on the Internet could
>> > then
>> > use the key to log in.
>> >
>> > On the other hand, wouldn't any unencrypted (using http, not https)
>> > website
>> > be vulnerable pretty much no matter what you do? For example, even if
>> > the
>> > session object is server-side, isn't the cookie that stores the session
>> > ID
>> > passed in the HTTP request, so just as well as intercepting the query
>> > string,
>> > couldn't someone intercept the cookie and hijack the session?
>> >
>> > (My apologies for the lack of correct terminology in this post.)

>>
>>


 
Reply With Quote
 
LenaMsdn08
Guest
Posts: n/a
 
      02-08-2009
Joe,

Thanks again for your insights - this gave me a lot of good ideas. I will
look for more security info on Microsoft's website too

"Joe Kaplan" wrote:

> Amazon also is a good example of maintaining some notion of who you are but
> switching to secure mode for actual ordering operations and other similar
> stuff.
>
> Once way to do this is to ensure that your actual authentication cookies are
> set with the Secure flag so the browser will only return them on a secure
> channel. You could have a personalization cookie that cannot be used to
> access secure resources that still indicates who the user is.
>
> Essentially, this type of thing needs to be designed thoughtfully to be
> effective. Microsoft has some good guidance around developing threat models
> to help you understand what the threats are and how to mitigate them.
>
> And yes, if you use gmail without HTTPS, someone can steal your
> authentication information and possibly read your mail. I recommend you not
> do that.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services Programming"
> http://www.directoryprogramming.net
> "LenaMsdn08" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Joe,
> >
> > Thank you for the information and for getting back to me so quickly - I'll
> > have to do some more thinking about our site, apparently.
> >
> > More or less thinking out loud ...
> >
> > Noticed when I went in to check the newsgroup, that for example the MSDN
> > login and subscriber download pages are secure, but the MSDN home page and
> > many other pages without sensitive content are not, which makes sense
> > (secure
> > pages are slower).
> >
> > The top right of the page says "Welcome Lena" and "Sign Out" so MSDN must
> > see me as logged in ... but I assume it's not actually passing any
> > authentication information on these pages, where someone could intercept
> > it
> > and use to access the secure download page. I'm sure Microsoft wouldn't
> > let
> > anyone break in so easily and steal expensive software
> >
> > Comparing to something I noticed on another website I worked on a long
> > time
> > ago ... most of the site was unsecure but there were some secure pages,
> > and
> > the secure and unsecure parts used different ASP Session IDs. That would
> > take
> > care of keeping the unsecure pages from giving away authentication data
> > for
> > the secure pages, wouldn't it?
> >
> > I'm sure there is more to it than that, of course ... I'll work away on it
> > and see what I can find.
> >
> > Thank you again for the information, it was helpful!
> >
> >
> >
> > "Joe Kaplan" wrote:
> >
> >> Your analysis is correct. If you want it to be secure, you really need
> >> to
> >> consider SSL. Session cookies or cookies that supply authentication
> >> information are just as easily intercepted as query string parameters if
> >> the
> >> plaintext HTTP data can be sniffed.
> >>
> >>
> >> --
> >> Joe Kaplan-MS MVP Directory Services Programming
> >> Co-author of "The .NET Developer's Guide to Directory Services
> >> Programming"
> >> http://www.directoryprogramming.net
> >> "LenaMsdn08" <(E-Mail Removed)> wrote in message
> >> news:(E-Mail Removed)...
> >> > We recently had this discussion at work - someone had suggested
> >> > implementing
> >> > single sign-on by passing a random 32-byte key in the query string and
> >> > match
> >> > it against a database that is used by both applications. Both sites are
> >> > written in ASP.NET 1.1
> >> >
> >> > It was pointed out that passing this key in the query string was a huge
> >> > security hole; anyone who intercepted the request on the Internet could
> >> > then
> >> > use the key to log in.
> >> >
> >> > On the other hand, wouldn't any unencrypted (using http, not https)
> >> > website
> >> > be vulnerable pretty much no matter what you do? For example, even if
> >> > the
> >> > session object is server-side, isn't the cookie that stores the session
> >> > ID
> >> > passed in the HTTP request, so just as well as intercepting the query
> >> > string,
> >> > couldn't someone intercept the cookie and hijack the session?
> >> >
> >> > (My apologies for the lack of correct terminology in this post.)
> >>
> >>

>
>

 
Reply With Quote
 
Allen Chen [MSFT]
Guest
Posts: n/a
 
      02-09-2009
Hi,

In addition to what Joe said I'd like to provide some general
documentations FYI.

http://msdn.microsoft.com/en-us/library/aa302426.aspx
http://www.devx.com/security/Article/20898

If you have additional questions please feel free to let me know.

Regards,
Allen Chen
Microsoft Online Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
http://www.velocityreviews.com/forums/(E-Mail Removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subs...#notifications.

Note: MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 2 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions. Issues of this
nature are best handled working with a dedicated Microsoft Support Engineer
by contacting Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/en-us/subs.../aa948874.aspx
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 
Reply With Quote
 
Allen Chen [MSFT]
Guest
Posts: n/a
 
      02-13-2009
Hi Lena,

Have you got the expected answer? If you have additional questions please
feel free to ask. I'll do my best to folow up.

Regards,
Allen Chen
Microsoft Online Support


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Is it possible at all to secure an unencrypted website? LenaMsdn08 ASP .Net Security 0 02-07-2009 04:49 PM
Secure your digital information assets with Secure Auditor. SecureWindows with Secure Auditor alannis.albert@googlemail.com Cisco 0 04-14-2008 06:53 AM
Secure your digital information assets with Secure Auditor SecureWindows with Secure Auditor alannis.albert@googlemail.com Cisco 0 04-14-2008 06:52 AM
Retrieve unencrypted password Christian Dornes Firefox 5 03-04-2004 11:30 PM



Advertisments