RE: Encrypted or Not Encrypted

Hi All,

To put it simply, when you type in the password, it's in the browser client on your machine. When you press the submit button, this information is being sent to the secured destination as was defined in the log.

For your browser to connect to the secured destination (before any data is submitted) it has to open SSL tunnel (hence handshake and key exchange...) between your computer and that destination.

Only afterwards - the password will be sent.

Best Regards,

Boaz Shunami, QSA
Comsec Consulting

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Basha, Arif
Sent: Tuesday, September 16, 2008 10:23 PM
To: Douglas C. Duckworth; Rob
Cc: Eifrém Strinnholm Jonas; amatachick@xxxxxxxxx; security-basics@xxxxxxxxxxxxxxxxx
Subject: RE: Encrypted or Not Encrypted

I think Rob is talking about the difference similar to the two following sites:

http://wachovia.com/

and

https://onlineservices.wachovia.com/auth/AuthService?action=presentLogin&url=https%3a//onlineservices.wachovia.com/NASApp/NavApp/Titanium%3faction%3dreturnHome

So if you enter the password on the first URL, is it secured on its way to the second URL, where the SSL handshake is initiated from?




-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Douglas C. Duckworth
Sent: Tuesday, September 16, 2008 12:36 PM
To: Rob
Cc: Eifrém Strinnholm Jonas; <amatachick@xxxxxxxxx>; <security-basics@xxxxxxxxxxxxxxxxx>
Subject: Re: Encrypted or Not Encrypted

If you connect with SSL, you perform the handshake first. Thereafter
all data is encrypted. You don't send your password first. That would
make no sense since the data is viewable as plain text.

More information:

http://www.schneier.com/paper-ssl.pdf

Rob wrote:
So how are the credentials protected in network transit to the secure
site? The way you explain it, I see the creds being exposed on their
way to the secure site.

Optimally they should enter their creds after ssl has setup the secure
session, not after..

What am I missing?

Rob

Sent from my iPhone

On Sep 12, 2008, at 6:44 AM, Eifrém Strinnholm Jonas
<Jonas.Eifrem@xxxxxxxx> wrote:

Encrypted.

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of amatachick@xxxxxxxxx
Sent: den 11 september 2008 20:25
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Encrypted or Not Encrypted

I've run into this issue a few times now and would like to know what
y'all
think. Here is the situation: A website not using SSL has a login
page. As
soon as credentials are entered on this page they are redirected to a
site
using SSL. Here is a specific example of the code on one such site:

<form name="loginpersonal" method="POST"
action="https://secure.sitename.com/engine/login/login.asp";
onSubmit="return
checkLoginForm(this);">

<input type=hidden name=IsPostback value=1>



Now, from what I understand, the login credentials would still be
unencrypted while traveling to the secure site. So that would negate the
effect of having it redirect to a secure site in the first place.
Right? I
keep brining up this fact but all I get back is that it's being
redirected
so it's secure. I feel like I'm taking crazy pills here so I'd
appreciate
some feedback. Am I wrong? If I am I can handle that, I'd just like
to know.
Thanks!
**********************************************************************************************
IMPORTANT: The contents of this email and any attachments are confidential. They are intended for the
named recipient(s) only.
If you have received this email in error, please notify the system manager or the sender immediately and do
not disclose the contents to anyone or make copies thereof.
*** eSafe scanned this email for viruses, vandals, and malicious content. ***
**********************************************************************************************

Relevant Pages

  • Re: Ace Password Sniffer : How does it work ?
    ... >> Another protocol that offers same is IPSec. ... >> authentication and secure transfer of data between server and client ... >> would be pretty hard to use SSL to secure data exchanged between ... Once you are done with the secured login, ...
    (microsoft.public.security)
  • RE: Certificate prblems with exchange public folders
    ... c103b404 during accessing Public Folders in Exchange System Manager. ... SSL certificate server name is incorrect" with error code c103b404 stemmed ... Click to clear the Require secure channel check box. ... 8.Restart Exchange System Attendant Service and then restart ...
    (microsoft.public.windows.server.sbs)
  • Re: Setting up HTTPS w/subdomain on Apache2
    ... Secure data transfer ... The docs recommended using SSL, ... I'm mistaken, HTTP w/SSL = HTTPS. ... Authentication would be basic or digest (Personally I'm using basic ...
    (Ubuntu)
  • Re: Setting up HTTPS w/subdomain on Apache2
    ... Secure data transfer ... The docs recommended using SSL, ... I'm mistaken, HTTP w/SSL = HTTPS. ... Authentication would be basic or digest (Personally I'm using basic ...
    (Ubuntu)
  • Re: SSL php code
    ... > Sean I am planning on exclusievely using secure pages (ssl) after the user requests to login. ... This will securely redirect to a login ...
    (comp.lang.php)