Re: [SL] SQL Ledger and Security

[Noel Henson]

It depends upon network topology.
If the hub for the LAN also connects to the HTTP server, then all traffic to and from the HTTP server may be broadcast over the LAN and therefore available to any host on the LAN for sniffing. Properly configured switches are better as they eliminate this broadcasting of data. An improperly configured switch is just as bad as a hub. A host can let the switch know that they are in a promiscuous mode and have the switch copy all of its traffic onto their port on the hub. Routers can easily have this same problem. Moreover, many switches and routers leave their SNMP ports open and available. That way anyone who knows how, can get any traffic they want (that passes through the device). That's why I'm an advocate of encryption in any situation where you don't have complete control over the operating environment of the network application.
To actually answer the sniffer question. Usually any sniffer that has an option to snag passwords will work. The only thing that remains is the get on device in the remote path to send you copies of its traffic. Many routers support this feature for debugging. But this situation is much less of a threat.
Noel

Gregory Malsack wrote:

p.s. I'm only familiar with a small amount of packet sniffers. They can only sniff packets sent or received by the local network. they cannot sniff packets sent or received from one remote network to another remote network. Do you have one that can?

 

Greg

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Noel Henson
Sent: Sunday, August 11, 2002 4:04 PM
To: [EMAIL PROTECTED]
Subject: Re: [SL] SQL Ledger and Security

That works for machine or network access control. There still exists the problem that HTTP passwords are transferred in plain text. A simple protocol sniffer can extract them. For real security, the connection must be encrypted. That's why I prefer HTTPS.

Gregory Malsack wrote:

Hi All,

	I use the allow option in the httpd.conf file to limit access to the
sql-ledger location to only my network and other networks that I trust. Then
if I'm at a client site where I don't trust the connection, I use putty to
get an ssh connection to my server and run the software through lynx. It's
not pretty but it works. I think that is pretty secure. Let me know if I'm
wrong.

Greg

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Keith Mastin
Sent: Sunday, August 11, 2002 1:15 PM
To: [EMAIL PROTECTED]
Subject: Re: [SL] SQL Ledger and Security


Then you are not using encryted passwords. My six figure password comes
back as 10 figures, and they are all wrong, in character/letter/numeral as
well as case.

  

I already thinked about the SSL or https solution, but:

Just place the mouse on any link on the sidebar menu. You will see your
password again! Everyone with access to your computer can see that. Is very
easy to hack anyway.

Antonio Gallardo


El Domingo, 11 de Agosto de 2002 00:07, John Summerfield escribió:
    

On Sun, 11 Aug 2002 12:35, Antonio Gallardo Rivera wrote:
      

How:
With a TCP/IP packet sniffer someone can check the responses from the
        

Web
  

Server inside your LAN or Internet. When the Web Client is receiving
        

the
  

menu sidebar, there are many time the username and password in plain
text!
        

It's worse, of course, when you access your accounts from clients' sites
      

or
  

through other places not under your control.

      

Resolution:
First: I am not a security expert to tell exactly how to resolve this
problem. May be using encrypted password or some kind of session cokies
can help us. I saw some encrypt libraries in Perl.
        

https I guess. In the short term, use the ssh command (or similar) to
connect to a safe box (maybe the server) and process transactions that
      

way.
  

Depending on your setup you might still be able to use a GUI browser such
as Mozilla, or you may need to use lynx or links.
      

-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
-------------------------------------------------------
(un)subscribe: http://lists.sourceforge.net/lists/listinfo/sql-ledger-users
Archive: http://www.mail-archive.com/sql-ledger-users@sql-ledger.org/

    

--
Keith Mastin       BeechTree Information Technology Services Inc.
137 Laird Drive    Toronto    M4G 3V5     http://www.beechtree.ca
  (416)696-6070      Fax(416)696-6072      [EMAIL PROTECTED]



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
-------------------------------------------------------
(un)subscribe: http://lists.sourceforge.net/lists/listinfo/sql-ledger-users
Archive: http://www.mail-archive.com/sql-ledger-users@sql-ledger.org/



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
-------------------------------------------------------
(un)subscribe: http://lists.sourceforge.net/lists/listinfo/sql-ledger-users
Archive: http://www.mail-archive.com/sql-ledger-users@sql-ledger.org/