is this webpage secure?

Discussion in 'Computer Security' started by Proteus, Nov 29, 2005.

  1. Proteus

    Proteus Guest

    I am told by people in charge at the campus where I teach that this login
    page is secure, that the form login info (username, password) is secure
    when sent. But the browser page (Firefox, Mandriva Linux) info says the
    page is not encrypted, not secure. Can someone clarify how such a login
    page can securely transmit the login info? Link to login page is below:
    http://www.lsc.edu/Online/VirtualCampusLogin.cfm
     
    Proteus, Nov 29, 2005
    #1
    1. Advertising

  2. Proteus wrote:
    > I am told by people in charge at the campus where I teach that this login
    > page is secure, that the form login info (username, password) is secure
    > when sent. But the browser page (Firefox, Mandriva Linux) info says the
    > page is not encrypted, not secure. Can someone clarify how such a login
    > page can securely transmit the login info? Link to login page is below:
    > http://www.lsc.edu/Online/VirtualCampusLogin.cfm


    No, I don't think; you are sending clear text data via _http_ (port 80),
    where as URL's for secure pages send encrypted data via _https_ (http
    via ssl, port 443).

    You can verify/confirm it by capturing data on port 80 and, or 443 with
    help of tcpdump(8) and, or ethereal(1).

    --
    Dr Balwinder Singh Dheeman Registered Linux User: #229709
    CLLO (Chief Linux Learning Officer) Machines: #168573, 170593, 259192
    Anu's Linux@HOME Distros: Ubuntu, Fedora, Knoppix
    More: http://anu.homelinux.net/~bsd/ Visit: http://counter.li.org/
     
    Dr Balwinder Singh Dheeman, Nov 29, 2005
    #2
    1. Advertising

  3. Proteus wrote:

    > I am told by people in charge at the campus where I teach that this login
    > page is secure, that the form login info (username, password) is secure
    > when sent. But the browser page (Firefox, Mandriva Linux) info says the
    > page is not encrypted, not secure. Can someone clarify how such a login
    > page can securely transmit the login info? Link to login page is below:
    > http://www.lsc.edu/Online/VirtualCampusLogin.cfm


    It's secure enough. The login is handled by a client side script that
    negotiates a connection to https://lsc.ims.mnscu.edu before the login form
    data is submitted.

    I suppose it might be a tad more secure to have the page that presents the
    login form sent securely because someone might be able to "man in the
    middle" attack that page, and replace the script with a bogus one, but if
    they have that ability it's not going to be much harder to just attack the
    whole HTTPS connection anyway.

    --
    _?_ Outside of a dog, a book is a man's best friend.
    (@ @) Inside of a dog, it's too dark to read.
    -oOO-(_)--OOo-------------------------------[ Groucho Marx ]--
    grok! Registered Linux user #402208
     
    Jeffrey F. Bloss, Nov 29, 2005
    #3
  4. Dr Balwinder Singh Dheeman wrote:
    > Proteus wrote:
    >
    >> I am told by people in charge at the campus where I teach that this login
    >> page is secure, that the form login info (username, password) is secure
    >> when sent. But the browser page (Firefox, Mandriva Linux) info says the
    >> page is not encrypted, not secure. Can someone clarify how such a login
    >> page can securely transmit the login info? Link to login page is below:
    >> http://www.lsc.edu/Online/VirtualCampusLogin.cfm

    >
    >
    > No, I don't think; you are sending clear text data via _http_ (port 80),
    > where as URL's for secure pages send encrypted data via _https_ (http
    > via ssl, port 443).
    >
    > You can verify/confirm it by capturing data on port 80 and, or 443 with
    > help of tcpdump(8) and, or ethereal(1).


    Oops! I'm sorry, I skipped checking the said page's HTML code. For
    sending back user's data it is using _https_ (http via ssl, port 443) so
    it will transmit encrypted data and is secure.

    --
    Dr Balwinder Singh Dheeman Registered Linux User: #229709
    CLLO (Chief Linux Learning Officer) Machines: #168573, 170593, 259192
    Anu's Linux@HOME Distros: Ubuntu, Fedora, Knoppix
    More: http://anu.homelinux.net/~bsd/ Visit: http://counter.li.org/
     
    Dr Balwinder Singh Dheeman, Nov 29, 2005
    #4
  5. Dr Balwinder Singh Dheeman wrote:

    > Proteus wrote:
    >> I am told by people in charge at the campus where I teach that this
    >> login page is secure, that the form login info (username, password) is
    >> secure when sent. But the browser page (Firefox, Mandriva Linux) info
    >> says the page is not encrypted, not secure. Can someone clarify how such
    >> a login page can securely transmit the login info? Link to login page is
    >> below: http://www.lsc.edu/Online/VirtualCampusLogin.cfm

    >
    > No, I don't think; you are sending clear text data via _http_ (port 80),
    > where as URL's for secure pages send encrypted data via _https_ (http via
    > ssl, port 443).


    Just to clarify, the login form is built this way...

    <form action="https://lsc.ims.mnscu.edu/d2l/Tools/login/doLogin.asp"
    method="post" ... >

    doLogin.asp is essentially a bit of JavaScript that does this among other
    things...

    form.action = 'https://lsc.ims.mnscu.edu';
    [...]
    form.submit();

    A secure connection is negotiated before any form data is submitted, so
    nothing but the form and the login script is sent in the clear, to the
    site's visitor. No names or passwords or anything go back the other way
    unencrypted.

    FWIW, I did packet capture a (failed) session just to make sure nothing
    was broken. ;)

    --
    _?_ Outside of a dog, a book is a man's best friend.
    (@ @) Inside of a dog, it's too dark to read.
    -oOO-(_)--OOo-------------------------------[ Groucho Marx ]--
    grok! Registered Linux user #402208
     
    Jeffrey F. Bloss, Nov 29, 2005
    #5
  6. From: "Dr Balwinder Singh Dheeman" <>

    | Proteus wrote:
    >> I am told by people in charge at the campus where I teach that this login
    >> page is secure, that the form login info (username, password) is secure
    >> when sent. But the browser page (Firefox, Mandriva Linux) info says the
    >> page is not encrypted, not secure. Can someone clarify how such a login
    >> page can securely transmit the login info? Link to login page is below:
    >> http://www.lsc.edu/Online/VirtualCampusLogin.cfm

    |
    | No, I don't think; you are sending clear text data via _http_ (port 80),
    | where as URL's for secure pages send encrypted data via _https_ (http
    | via ssl, port 443).
    |
    | You can verify/confirm it by capturing data on port 80 and, or 443 with
    | help of tcpdump(8) and, or ethereal(1).
    |

    I just used Ethereal and the packet decode does show https (443) to 199.17.13.240

    It shows "Client Key Exchange, Change Cipher Spec., Encrypted Handshake Message"

    I couldn't see a Clear Text of my faux Username and Password

    Looking at the HTML source I find...

    https://lsc.ims.mnscu.edu/d2l/Tools/login/doLogin.asp" method="post"
    name="processLogonForm"><br/><label for="userName">Username:</label>&nbsp;&nbsp; <input
    id="userName" name="userName" size="10"/> <br/><br/><label
    for="password">Password:</label>&nbsp;&nbsp;&nbsp; <input id="password" name="password"
    size="10" type="password"/> <br/><br/><input name="Login" type="submit"/></form><div
    align="right"><p class="toplinks"><a href="login.cfm">having problems?</a></p>
    </div></td>

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
     
    David H. Lipman, Nov 29, 2005
    #6
  7. Proteus

    Newsbox Guest

    On Tue, 29 Nov 2005 23:26:32 +0530, Dr Balwinder Singh Dheeman wrote:

    > Proteus wrote:
    >> I am told by people in charge at the campus where I teach that this login
    >> page is secure, that the form login info (username, password) is secure
    >> when sent. But the browser page (Firefox, Mandriva Linux) info says the
    >> page is not encrypted, not secure. Can someone clarify how such a login
    >> page can securely transmit the login info? Link to login page is below:
    >> http://www.lsc.edu/Online/VirtualCampusLogin.cfm

    >
    > No, I don't think; you are sending clear text data via _http_ (port 80),
    > where as URL's for secure pages send encrypted data via _https_ (http
    > via ssl, port 443).
    >
    > You can verify/confirm it by capturing data on port 80 and, or 443 with
    > help of tcpdump(8) and, or ethereal(1).


    I have come across similar "secure" logins on non-secure pages, also
    questioned and was reassured, and did capture what was actually
    transmitted. It was in fact encrypted, in the case that I looked at. I
    suspect that each such case of importance needs individual examination.
    It seems there are different ways to divide a page into secure and
    non-secure parts, ie. with frames or scripts.

    The question that remains in my mind is why anyone would bother with the
    additional complexities involved in doing so, along with all the new
    possible sources of error and insecurity, especially for a simple login
    page. I'm sure those who write these pages have their reasons, but it
    seems like a bad idea to me.
     
    Newsbox, Nov 29, 2005
    #7
  8. Jeffrey F. Bloss wrote:
    > Dr Balwinder Singh Dheeman wrote:
    >> Proteus wrote:
    >>> I am told by people in charge at the campus where I teach that this
    >>> login page is secure, that the form login info (username, password) is
    >>> secure when sent. But the browser page (Firefox, Mandriva Linux) info
    >>> says the page is not encrypted, not secure. Can someone clarify how such
    >>> a login page can securely transmit the login info? Link to login page is
    >>> below: http://www.lsc.edu/Online/VirtualCampusLogin.cfm

    > Just to clarify, the login form is built this way...
    >
    > <form action="https://lsc.ims.mnscu.edu/d2l/Tools/login/doLogin.asp"
    > method="post" ... >
    >
    > doLogin.asp is essentially a bit of JavaScript that does this among other
    > things...
    >
    > form.action = 'https://lsc.ims.mnscu.edu';
    > [...]
    > form.submit();
    >
    > A secure connection is negotiated before any form data is submitted, so
    > nothing but the form and the login script is sent in the clear, to the
    > site's visitor. No names or passwords or anything go back the other way
    > unencrypted.


    Thank you for the explanation, and thanks to Proteus for
    brining it up. This is something I've wondered about for
    a long time.

    I used snort to capture the session, and saw that port 443
    quickly came into play, and saw something resembling a
    certificate go past ("$Equifax Secure Certificate Authority0...0504211"),
    and noted that my "bait" username and password did not
    appear in the clear.

    --
    Peter Pearson
    To get my email address, substitute:
    nowhere -> spamcop, invalid -> net
     
    Peter Pearson, Nov 29, 2005
    #8
  9. Newsbox wrote:
    > The question that remains in my mind is why anyone would bother with the
    > additional complexities involved in doing so, along with all the new
    > possible sources of error and insecurity, especially for a simple login
    > page. I'm sure those who write these pages have their reasons, but it
    > seems like a bad idea to me.


    I agree that straightforward tends to be better. I believe
    the motivation is saving the processing power that would
    be spent setting up secure sessions for people who come to
    the login page but do not log in.

    --
    Peter Pearson
    To get my email address, substitute:
    nowhere -> spamcop, invalid -> net
     
    Peter Pearson, Nov 29, 2005
    #9
  10. Proteus

    Proteus Guest

    On Tue, 29 Nov 2005 13:25:33 -0500, Newsbox wrote:
    ...
    > I have come across similar "secure" logins on non-secure pages, also
    > questioned and was reassured, and did capture what was actually
    > transmitted. It was in fact encrypted, in the case that I looked at....


    Thank you everybody for the reassurance (from me and all the online
    teachers I work with). I am entering a new world, trying to learn some
    security stuff-- this page got me jolted to finally download and install
    etheral which I did, and I barely know how to use it but I captured a
    login at that page and saved it as a text file and looked for my login
    name and password and could not find it. But then I am a total newbie at
    etherial. But what you all say seems to confirm what i hopefully learned
    also with etheral. Thanks again all!
     
    Proteus, Nov 29, 2005
    #10
  11. Proteus

    Winged Guest

    Proteus wrote:
    > I am told by people in charge at the campus where I teach that this login
    > page is secure, that the form login info (username, password) is secure
    > when sent. But the browser page (Firefox, Mandriva Linux) info says the
    > page is not encrypted, not secure. Can someone clarify how such a login
    > page can securely transmit the login info? Link to login page is below:
    > http://www.lsc.edu/Online/VirtualCampusLogin.cfm
    >
    >


    The page is not secure for several reasons but the most glaring issue is
    the password login is passed via post method in the clear. This
    could be potentially intercepted using several methods or entry points.

    I a school environment I would definitely change post login method being
    used, it is a tempting and easy target.

    Winged
     
    Winged, Nov 30, 2005
    #11
  12. Proteus

    Winged Guest

    Jeffrey F. Bloss wrote:
    > Proteus wrote:
    >
    >
    >>I am told by people in charge at the campus where I teach that this login
    >>page is secure, that the form login info (username, password) is secure
    >>when sent. But the browser page (Firefox, Mandriva Linux) info says the
    >>page is not encrypted, not secure. Can someone clarify how such a login
    >>page can securely transmit the login info? Link to login page is below:
    >>http://www.lsc.edu/Online/VirtualCampusLogin.cfm

    >
    >
    > It's secure enough. The login is handled by a client side script that
    > negotiates a connection to https://lsc.ims.mnscu.edu before the login form
    > data is submitted.
    >
    > I suppose it might be a tad more secure to have the page that presents the
    > login form sent securely because someone might be able to "man in the
    > middle" attack that page, and replace the script with a bogus one, but if
    > they have that ability it's not going to be much harder to just attack the
    > whole HTTPS connection anyway.
    >

    I missed the js login entry. All I noted was post method. Ignore my
    previous post, it apparently was in error.

    Winged
     
    Winged, Nov 30, 2005
    #12
  13. Proteus

    traveler Guest

    On Tue, 29 Nov 2005 11:12:05 -0600, Proteus <>
    wrote:

    >I am told by people in charge at the campus where I teach that this login
    >page is secure, that the form login info (username, password) is secure
    >when sent. But the browser page (Firefox, Mandriva Linux) info says the
    >page is not encrypted, not secure. Can someone clarify how such a login
    >page can securely transmit the login info? Link to login page is below:
    >http://www.lsc.edu/Online/VirtualCampusLogin.cfm


    Some times the page has to be opened in a new window to see the actual
    encrypted (SSL) page, but it all depends on how the set up is made, if
    you open in a new window and you don't see the SSL, I wouldn't trust
    it.

    Regards
    >
     
    traveler, Dec 1, 2005
    #13
  14. Proteus

    Jim Watt Guest

    On Wed, 30 Nov 2005 23:52:52 -0800, traveler <>
    wrote:

    >On Tue, 29 Nov 2005 11:12:05 -0600, Proteus <>
    >wrote:
    >
    >>I am told by people in charge at the campus where I teach that this login
    >>page is secure, that the form login info (username, password) is secure
    >>when sent. But the browser page (Firefox, Mandriva Linux) info says the
    >>page is not encrypted, not secure. Can someone clarify how such a login
    >>page can securely transmit the login info? Link to login page is below:
    >>http://www.lsc.edu/Online/VirtualCampusLogin.cfm

    >
    >Some times the page has to be opened in a new window to see the actual
    >encrypted (SSL) page, but it all depends on how the set up is made, if
    >you open in a new window and you don't see the SSL, I wouldn't trust
    >it.


    Its badly designed as although it is secure, it does not look that way
    to the user.
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Dec 1, 2005
    #14
  15. Proteus

    grenoble Guest

    grenoble, Dec 1, 2005
    #15
  16. Proteus

    Unruh Guest

    traveler <> writes:

    >On Tue, 29 Nov 2005 11:12:05 -0600, Proteus <>
    >wrote:


    >>I am told by people in charge at the campus where I teach that this login
    >>page is secure, that the form login info (username, password) is secure
    >>when sent. But the browser page (Firefox, Mandriva Linux) info says the
    >>page is not encrypted, not secure. Can someone clarify how such a login
    >>page can securely transmit the login info? Link to login page is below:
    >>http://www.lsc.edu/Online/VirtualCampusLogin.cfm


    >Some times the page has to be opened in a new window to see the actual
    >encrypted (SSL) page, but it all depends on how the set up is made, if
    >you open in a new window and you don't see the SSL, I wouldn't trust
    >it.


    Here is the line
    <tr>
    <td align="right" bgcolor="#ffffff" bordercolor="#336666"
    width="250"><form
    action="https://lsc.ims.mnscu.edu/d2l/Tools/login/doLogin.asp"
    method="post" name="processLogonForm"><br/><label
    for="userName">Username:</label>&nbsp;&nbsp; <input id="userName"
    name="userName" size="10"/> <br/><br/><label
    for="password">Password:</label>&nbsp;&nbsp;&nbsp; <input id="password"
    name="password" size="10" type="password"/> <br/><br/><input name="Login"
    type="submit"/></form><div align="right"><p class="toplinks"><a
    href="login.cfm">having problems?</a></p>

    </div></td>
    (all one line in the original). I do not know if the data gets sent to
    that https://lsc.ims.mnscu.edu/d2l/Tools/login/doLogin.asp page before of after https is invoked.


    >Regards
    >>
     
    Unruh, Dec 1, 2005
    #16
  17. Proteus

    grenoble Guest

    "Unruh" <> wrote in message
    news:dmnav9$t7u$

    > Here is the line
    > <tr>
    > <td align="right" bgcolor="#ffffff" bordercolor="#336666"
    > width="250"><form
    > action="https://lsc.ims.mnscu.edu/d2l/Tools/login/doLogin.asp"
    > method="post" name="processLogonForm"><br/><label
    > for="userName">Username:</label>&nbsp;&nbsp; <input id="userName"
    > name="userName" size="10"/> <br/><br/><label
    > for="password">Password:</label>&nbsp;&nbsp;&nbsp; <input
    > id="password"
    > name="password" size="10" type="password"/> <br/><br/><input
    > name="Login" type="submit"/></form><div align="right"><p
    > class="toplinks"><a
    > href="login.cfm">having problems?</a></p>
    >
    > </div></td>
    > (all one line in the original). I do not know if the data gets sent
    > to that https://lsc.ims.mnscu.edu/d2l/Tools/login/doLogin.asp
    > page before of after https is invoked.


    Ethereal shows quite plainly that the data are sent after the https (SSL) is
    invoked, but the data are NOT (repeat NOT) encrypted. They are sent as clear
    text userName/password to port 443 of the https server.
     
    grenoble, Dec 1, 2005
    #17
  18. Proteus

    Winged Guest

    grenoble wrote:
    > "Proteus" <> wrote in message
    > news:p...
    >
    >
    >>Can someone clarify how such a login
    >>page can securely transmit the login info? Link to login page is below:
    >>http://www.lsc.edu/Online/VirtualCampusLogin.cfm

    >
    >
    > http://www.iss.net/security_center/reference/2110099.html results, and a
    > look at the ethereal capture at our router confirms that plain, unencrypted
    > text is transmitted over the SSL connection.
    >

    You mean i read the code and posted correctly then I apologized after
    reading where someone hard used eretheal and said it was encrypted...
    ....thanks guys for looking harder than I did and confirming I was not as
    far gone as I thought I was....seems pretty weak security on a campus
    where kids seem to catch stuff easily..If I remember the page right it
    was one of the purtiest formatted pages I have seen recently even if it
    wasn't secure...

    Winged
     
    Winged, Dec 2, 2005
    #18
  19. Newsbox wrote:

    <snip>
    >
    > I have come across similar "secure" logins on non-secure pages, also
    > questioned and was reassured, and did capture what was actually
    > transmitted. It was in fact encrypted, in the case that I looked at. I
    > suspect that each such case of importance needs individual examination.
    > It seems there are different ways to divide a page into secure and
    > non-secure parts, ie. with frames or scripts.
    >

    It is indeed possible for a page to be assembled containing secure and
    non-secure parts. Every page element you see is the result of a new HTTP
    GET generated by your browser. This is far different from FTP, etc.

    > The question that remains in my mind is why anyone would bother with the
    > additional complexities involved in doing so, along with all the new
    > possible sources of error and insecurity, especially for a simple login
    > page. I'm sure those who write these pages have their reasons, but it
    > seems like a bad idea to me.


    You are 100% correct, IMO. I think it's bad from three different viewpoints.
    1- From the secure coder's perspective: complexity is the enemy of security.
    You introduce complexity *only* when you must. Full stop.
    2- From an auditor's perspective: Complexity of analysis increases. You now
    have an innescapable need for either a code review, or to look at what's on
    the wire. To do a good job, that actually means looking at what's on the
    wire. More than one system has fallen because of code correctly written,
    but to an API that didn't function as per it's docs.
    3- From the user's perspective: seeing a login page with http vice https in
    the location bar will put many people off. Not enough, though, or this
    technique would be extinct in the wild.

    Cheers,
    Greg

    --
    Greg Metcalfe
    GPG fingerprint: 95B3 2BDD 9152 1E7D A240 37C1 7AE2 9B71 0065 F029
     
    Greg Metcalfe, Dec 2, 2005
    #19
  20. Proteus

    Rasta Robert Guest

    On 2005-12-01, Jim Watt <_way> wrote:
    > On Wed, 30 Nov 2005 23:52:52 -0800, traveler <>
    > wrote:
    >
    >>On Tue, 29 Nov 2005 11:12:05 -0600, Proteus <>
    >>wrote:
    >>
    >>>I am told by people in charge at the campus where I teach that this login
    >>>page is secure, that the form login info (username, password) is secure
    >>>when sent. But the browser page (Firefox, Mandriva Linux) info says the
    >>>page is not encrypted, not secure. Can someone clarify how such a login
    >>>page can securely transmit the login info? Link to login page is below:
    >>>http://www.lsc.edu/Online/VirtualCampusLogin.cfm

    >>
    >>Some times the page has to be opened in a new window to see the actual
    >>encrypted (SSL) page, but it all depends on how the set up is made, if
    >>you open in a new window and you don't see the SSL, I wouldn't trust
    >>it.

    >
    > Its badly designed as although it is secure, it does not look that way
    > to the user.


    Could https://lsc.ims.mnscu.edu/ be used as an alternative and would
    that be safer?

    --
    <http://rr.www.cistron.nl/> -!- <http://www.rr.dds.nl/>
     
    Rasta Robert, Dec 2, 2005
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. KerplunKuK

    Secure and non secure warnings

    KerplunKuK, Aug 24, 2004, in forum: Computer Support
    Replies:
    8
    Views:
    585
    Blinky the Shark
    Aug 24, 2004
  2. JB
    Replies:
    9
    Views:
    2,212
    Blinky the Shark
    Jun 14, 2005
  3. Miss Mary
    Replies:
    1
    Views:
    1,480
    sean.archer
    Sep 21, 2007
  4. Replies:
    0
    Views:
    636
  5. Replies:
    0
    Views:
    834
Loading...

Share This Page