Re: Is a signon to an SSL site from an http:// page secure?
Greg Rundlett <[EMAIL PROTECTED]> writes: > On 6/23/05, Paul Lussier <[EMAIL PROTECTED]> wrote: > >>tcpdump -i en1 -qe -vvv -ls 400 port https ... > Most useful for debugging and developing web applications, you can > install the 'LiveHTTPHeaders' extension into your browser to view the > HTTP Headers while you surf. http://livehttpheaders.mozdev.org/. My favorite way to capture this information is via Ethereal. Click on a frame involved in a TCP connection and select "Follow TCP Stream". Very very handy. FIN, ACK, FIN, ACK. --kevin -- GnuPG ID: B280F24E And the madness of the crowd alumni.unh.edu!kdc Is an epileptic fit -- Tom Waits ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Is a signon to an SSL site from an http:// page secure?
On 6/23/05, Paul Lussier <[EMAIL PROTECTED]> wrote: > >tcpdump -i en1 -qe -vvv -ls 400 port https > > This will show you a lot more... and this: > > > tcpdump -i en1 -qexX -vvv -ls 400 port https > > might even show you something interesting :) > Most useful for debugging and developing web applications, you can install the 'LiveHTTPHeaders' extension into your browser to view the HTTP Headers while you surf. http://livehttpheaders.mozdev.org/. ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Is a signon to an SSL site from an http:// page secure?
Ted Roche <[EMAIL PROTECTED]> writes: > I always thought that you needed to be using an https:// page before > sending user names and passwords to log in. My credit union claims > this isn't true, and that since clicking the signon button takes you > to an SSL page, the information typed in is transmitted securely. I > have my doubts. Here's a portion of their claim, from the front page > of http://www.navyfcu.org. I'd welcome opinions. As others have noted, the page you type your information into is not necessarilly where you end up sending the information by clicking submit. Also as noted by others, you can discover this by looking at the source for the web page you're viewing. However, it's rather easy to miss this information, and if you're ever in doubt, the best way to determine what's getting passed to a remote system is to watch what passes over the wire. To do this, fire up tcpdump or, if GUIs are your thing, use 'ethereal'[1]. Using tcpdump you can quickly see traffic going to an SSL-secured website with something like this: tcpdump -i en1 port https This won't tell you more than that you've connected to a secure site and are passing some traffic. tcpdump -i en1 -qe -vvv -ls 400 port https This will show you a lot more... and this: tcpdump -i en1 -qexX -vvv -ls 400 port https might even show you something interesting :) The latter, if you remove the last s, and just scan for http, then you'll be able to see all the HTTP gets your browser is requesting from the remote server. For example, in the following packet, you can clearly see a GET for an image, and the client informing the server what browser I'm using, among other things: 21:52:52.564502 00:03:93:ee:39:3c > 00:09:5b:6b:74:8e, IPv4, length 633: IP (tos 0x0, ttl 64, id 28269, offset 0, flags [DF], length: 619) 192.168.10.6.50153 > mobile9.com.http: tcp 579 0x: 0009 5b6b 748e 0003 93ee 393c 0800 4500 ..[kt.9<..E. 0x0010: 026b 6e6d 4000 4006 70aa c0a8 0a06 4313 [EMAIL PROTECTED]@.p.C. 0x0020: 4bb4 c3e9 0050 0f4e bb70 ea99 a8b9 5018 KP.N.pP. 0x0030: 688e 4745 5420 2f69 6d61 6765 ..h...GET./image 0x0040: 732f 666f 6f74 6572 626f 7474 6f6d 5f30 s/footerbottom_0 0x0050: 332e 6769 6620 4854 5450 2f31 2e31 0d0a 3.gif.HTTP/1.1.. 0x0060: 486f 7374 3a20 772e 7765 6268 6f73 Host:.www.webhos 0x0070: 7469 6e67 6465 762e 636f 6d0d 0a55 7365 tingdev.com..Use 0x0080: 722d 4167 656e 743a 204d 6f7a 696c 6c61 r-Agent:.Mozilla 0x0090: 2f35 2e30 2028 4d61 6369 6e74 6f73 683b /5.0.(Macintosh; 0x00a0: 2055 3b20 5050 4320 4d61 6320 4f53 2058 .U;.PPC.Mac.OS.X 0x00b0: 204d 6163 682d 4f3b 2065 6e2d 5553 3b20 .Mach-O;.en-US;. 0x00c0: 7276 3a31 2e37 2e35 2920 4765 636b 6f2f rv:1.7.5).Gecko/ 0x00d0: 3230 3034 3131 3037 2046 6972 6566 6f78 20041107.Firefox 0x00e0: 2f31 2e30 0d0a 4163 6365 7074 3a20 696d /1.0..Accept:.im 0x00f0: 6167 652f 706e 672c 2a2f 2a3b 713d 302e age/png,*/*;q=0. 0x0100: 350d 0a41 6363 6570 742d 4c61 6e67 7561 5..Accept-Langua 0x0110: 6765 3a20 656e 2d75 732c 656e 3b71 3d30 ge:.en-us,en;q=0 0x0120: 2e35 0d0a 4163 6365 7074 2d45 6e63 6f64 .5..Accept-Encod 0x0130: 696e 673a 2067 7a69 702c 6465 666c 6174 ing:.gzip,deflat 0x0140: 650d 0a41 6363 6570 742d 4368 6172 7365 e..Accept-Charse 0x0150: 743a 2049 534f 2d38 3835 392d 312c 7574 t:.ISO-8859-1,ut 0x0160: 662d 383b 713d 302e 372c 2a3b 713d 302e f-8;q=0.7,*;q=0. 0x0170: 370d 0a4b 6565 702d 416c 6976 653a 2033 7..Keep-Alive:.3 0x0180: 3030 0d0a 436f 6e6e 6563 7469 6f6e 3a20 00..Connection:. Obviously, if you're connecting to an SSL-enabled system, then everything you see will be garbage. Footnote: - [1] It's pronounced e-thereal, NOT ether-real. Ethereal is *actually* a REAL word, not something made up for a piece of software which just happens to work with ether-net. -- Seeya, Paul ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Is a signon to an SSL site from an http:// page secure?
On Jun 23 at 1:41pm, Ted Roche wrote: I always thought that you needed to be using an https:// page before sending user names and passwords to log in. My credit union claims this isn't true, and that since clicking the signon button takes you to an SSL page, the information typed in is transmitted securely. Everybody's comments about the form's submit method are accurate as far as they go. If the information in the form is submitted via an HTTPS URL, then you get SSL protection for the data submitted via said form. That will provide protection against attackers sniffing your data. In other words, this is providing /confidentiality/. There are other threats, however. In particular, if the HTML form itself was sent via HTTP, you lack /authenticity/. Maybe bad guys are intercepting the connection and feeding you a fake form that just *looks* like the real thing. This is a lot easier with cleartext HTTP. With SSL, you can always click the little key/lock and check the certificate. There's a fairly high level of confidence associated with that. (Well, in theory, anyway. VeriSign frell-ups notwithstanding.) For example, if I'm making a Paypal payment, you can bet I carefully check the certificate before punching in my password, to make sure I'm using the real Paypal system. I couldn't do that if only the form submission was SSL'ed. Of course, there's also Gene "spaf" Spafford's apt observation: "Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench." If you've been watching the IT security news these past few months, you'll have noticed that most organizations spend more effort on buying paperclips then protecting customer data. -- Ben <[EMAIL PROTECTED]> ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Is a signon to an SSL site from an http:// page secure?
On Thu, 2005-06-23 at 13:41 -0400, Ted Roche wrote: > I always thought that you needed to be using an https:// page before > sending user names and passwords to log in. My credit union claims > this isn't true, and that since clicking the signon button takes you > to an SSL page, the information typed in is transmitted securely. I > have my doubts. Here's a portion of their claim, from the front page > of http://www.navyfcu.org. I'd welcome opinions. > > "Your experience online is very important to Navy Federal, and the > Account Access Sign On is conveniently located on our Navy Federal > home page. However, you may have recognized that, when you are on the > home page, the familiar security symbols do not appear in your > browser to symbolize that the page is secure. In fact, the home page > itself is informational and not encrypted. Therefore it does not > display the familiar “Lock” symbol in the bottom right–hand corner, > nor does the address line begin with https. However, it is “safe” to > enter your sign-on information from the home page. Your Access > Number, User ID and Password are not transmitted until you click the > “Sign On” button. After you click the “Sign On” button, a secure, > encrypted connection is established between your personal computer’s > browser and our Navy Federal systems, using Secure Socket Layers > (SSL). After you click “Sign On”, you can validate that SSL is being > used by seeing that “https” is displayed at the beginning of the data > in your browser’s address line." > ___ > gnhlug-discuss mailing list > gnhlug-discuss@mail.gnhlug.org > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss -- This is correct. The form will call another URL (probably POST). Check the page source and lookk for the form's script URL - it probably begins with https:// Frank DiPrete <[EMAIL PROTECTED]> ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Is a signon to an SSL site from an http:// page secure?
Ted Roche wrote: I always thought that you needed to be using an https:// page before sending user names and passwords to log in. My credit union claims this isn't true, and that since clicking the signon button takes you to an SSL page, the information typed in is transmitted securely. I have my doubts. Here's a portion of their claim, from the front page of http://www.navyfcu.org. I'd welcome opinions. ... Their login form is within a 'action="https://myaccounts.navyfcu.org/cgi-bin/ifsewwwc?Logon"; ...>'. Since they are POSTing to an HTTPS site, then the password will go over a SSL connection. --Bruce ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Is a signon to an SSL site from an http:// page secure?
That's just as secure. The HTTPS in your location bar means the page you're on is secure. In the case of the site you gave, the form itself is submitting to an HTTPS page, so that data is sent with a request to a secure server, after that new secure connection is established. It's usually more satisfying for people if they can already see the lock icon in their browser when typing it in, but it really doesn't have much to do with it. -N > I always thought that you needed to be using an https:// page before > sending user names and passwords to log in. My credit union claims > this isn't true, and that since clicking the signon button takes you > to an SSL page, the information typed in is transmitted securely. I > have my doubts. Here's a portion of their claim, from the front page > of http://www.navyfcu.org. I'd welcome opinions. > > "Your experience online is very important to Navy Federal, and the > Account Access Sign On is conveniently located on our Navy Federal > home page. However, you may have recognized that, when you are on the > home page, the familiar security symbols do not appear in your > browser to symbolize that the page is secure. In fact, the home page > itself is informational and not encrypted. Therefore it does not > display the familiar Lock symbol in the bottom righthand corner, > nor does the address line begin with https. However, it is safe to > enter your sign-on information from the home page. Your Access > Number, User ID and Password are not transmitted until you click the > Sign On button. After you click the Sign On button, a secure, > encrypted connection is established between your personal computers > browser and our Navy Federal systems, using Secure Socket Layers > (SSL). After you click Sign On, you can validate that SSL is being > used by seeing that https is displayed at the beginning of the data > in your browsers address line." > ___ > gnhlug-discuss mailing list > gnhlug-discuss@mail.gnhlug.org > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss > ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Is a signon to an SSL site from an http:// page secure?
I always thought that you needed to be using an https:// page before sending user names and passwords to log in. My credit union claims this isn't true, and that since clicking the signon button takes you to an SSL page, the information typed in is transmitted securely. I have my doubts. Here's a portion of their claim, from the front page of http://www.navyfcu.org. I'd welcome opinions. "Your experience online is very important to Navy Federal, and the Account Access Sign On is conveniently located on our Navy Federal home page. However, you may have recognized that, when you are on the home page, the familiar security symbols do not appear in your browser to symbolize that the page is secure. In fact, the home page itself is informational and not encrypted. Therefore it does not display the familiar “Lock” symbol in the bottom right–hand corner, nor does the address line begin with https. However, it is “safe” to enter your sign-on information from the home page. Your Access Number, User ID and Password are not transmitted until you click the “Sign On” button. After you click the “Sign On” button, a secure, encrypted connection is established between your personal computer’s browser and our Navy Federal systems, using Secure Socket Layers (SSL). After you click “Sign On”, you can validate that SSL is being used by seeing that “https” is displayed at the beginning of the data in your browser’s address line." ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss