Re: is this webpage secure?

From: David H. Lipman (DLipman~nospam~_at_Verizon.Net)
Date: 11/29/05 

Date: Tue, 29 Nov 2005 18:20:38 GMT

From: "Dr Balwinder Singh Dheeman" <bsd.SANSPAM@sebs.org.in>

| Proteus wrote:
>> I am told by people in charge at the campus where I teach that this login
>> page is secure, that the form login info (username, password) is secure
>> when sent. But the browser page (Firefox, Mandriva Linux) info says the
>> page is not encrypted, not secure. Can someone clarify how such a login
>> page can securely transmit the login info? Link to login page is below:
>> http://www.lsc.edu/Online/VirtualCampusLogin.cfm
|
| No, I don't think; you are sending clear text data via _http_ (port 80),
| where as URL's for secure pages send encrypted data via _https_ (http
| via ssl, port 443).
|
| You can verify/confirm it by capturing data on port 80 and, or 443 with
| help of tcpdump(8) and, or ethereal(1).
|

I just used Ethereal and the packet decode does show https (443) to 199.17.13.240

It shows "Client Key Exchange, Change Cipher Spec., Encrypted Handshake Message"

I couldn't see a Clear Text of my faux Username and Password

Looking at the HTML source I find...

https://lsc.ims.mnscu.edu/d2l/Tools/login/doLogin.asp" method="post"
name="processLogonForm"><br/><label for="userName">Username:</label>&nbsp;&nbsp; <input
id="userName" name="userName" size="10"/> <br/><br/><label
for="password">Password:</label>&nbsp;&nbsp;&nbsp; <input id="password" name="password"
size="10" type="password"/> <br/><br/><input name="Login" type="submit"/></form><div
align="right"><p class="toplinks">having problems?</p>
</div></td> 

-- 
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Relevant Pages

  • Re: Secure Login Form
    ... HTTPS should definitely be used, this web form isn't secure otherwise ... I'd recommend php, as it's server side so you are processing ... login form. ...
    (Security-Basics)
  • Re: https-Question
    ... If the form is submitted to a HTTPS address then the form data will arrive securely, but there is another issue with using insecure login pages like this. ... It's good practice to have both the login page and the page you submit to fully secure ...
    (comp.infosystems.www.authoring.html)
  • Re: Passing data from a http page to https page. Is it secure?
    ... Theoretically, yes, it's secure. ... https to begin with. ... Yahoo Login page has 2 modes Standard and Secure. ... > standard mode the login page was an http one, but the data is being posted ...
    (microsoft.public.vsnet.general)
  • Re: Is .NET Passport credential traffic secure?
    ... my point is that you must FIRST establish a secure connection to ... user instead of making the login page itself secured with SSL so the ... The "Sign In" page at eBay submits the form data ... HTTPS site: Allowing the site to generate the HTML content in the page ...
    (microsoft.public.security)
  • Re: Ace Password Sniffer : How does it work ?
    ... >> Another protocol that offers same is IPSec. ... >> authentication and secure transfer of data between server and client ... >> would be pretty hard to use SSL to secure data exchanged between ... Once you are done with the secured login, ...
    (microsoft.public.security)