August 16, 2009

Back in April of this year I made a startling discovery regarding a certain web site that I was required to use for one of my college classes. This web site was not using SSL on its login page.

For those who don't understand how SSL works, here's a partially summarized explanation:
SSL (Secure Sockets Layer) is a protocol that was designed to transmit data securely across the Internet. Data transfered across an SSL connection is encrypted using a public key. TLS (Transport Layer Security), an extension of SSL, is a protocol designed to provide privacy and data integrity between devices communicating across the Internet. Together, these two protocols are known as SSL/TLS.

There are two layers that make up SSL/TLS, the TLS Handshake Protocol and the TLS Record Protocol. The TLS Handshake Protocol is where the authentication between the server and client takes place, as well as the negotiation of the encryption that will be used during the communication. The TLS Record Protocol ensures privacy during communication by using data encryption.

SSL is used to secure web communications by way of HTTPS (Hypertext Transport Protocol over Secure Sockets Layer). This differs from HTTP in that data is sent over SSL/TLS, and is therefore encrypted. HTTP, on the other hand, sends data as plain text.

Knowing all if this, the problems with the discovery that I made start to become clear. With users submitting their login information over HTTP and not HTTPS they were unknowingly transmitting their usernames and passwords to the site as plain text.

This was big a problem.

With data transferring insecurely, an attacker on the same network as the user could run a packet capturing application to obtain the user's login information to this particular web site. The security problems start to really add up when it is taken into account that many users still use the same login credentials across multiple web sites. With this in mind, the security flaw with this one site can potentially compromise multiple web site accounts owned by a user.

Eventually, I had one of my IT instructors notify the web site's administration about this flaw so that they could fix it. Four months later and this is what can be seen in the packets sent to the web site.

It has yet to be fixed.
Categories: , , ,

1 comment:

Subscribe to RSS Feed Follow me on Twitter!