Results 1 to 19 of 19
-
01-11-2005, 09:01 AM #1Web Hosting Master
- Join Date
- Jun 2001
- Posts
- 747
How easy is it to sniff usernames/passwords on a website?
Hello,
Firstly, I am not a "hacker" or anything like that. I'm just being paranoid.
I have set up a seperate (online, web-based) business which will contain lots of reasonably important customer information (although no payment/credit card type information.)
The customers log into the site using typical username/password textboxes. The login does NOT use https.
The administrators also use the same login system when logging in.
How easy would it be for someone to sniff the administrator username & password?
If possible, I'd like to try it myself.
Any information appreciated.
Thanks,
Steve
-
01-11-2005, 09:25 AM #2Junior Guru Wannabe
- Join Date
- Nov 2003
- Location
- TeleCity 2, Amsterdam
- Posts
- 62
I am wondering too.
Not only how easy can you sniff such data, but WHO can sniff such data?
All routers and servers used to transit this data?
-
01-11-2005, 09:33 AM #3Web Hosting Master
- Join Date
- Jun 2004
- Posts
- 789
It's not the easiest thing in the world. You have to be in between the client and the webserver for this. Meaning that the packets have to go through your machine (or one you have access to) en route to the server. But if you can get onto the route, then it's pretty simple if it's all being sent in clear-text. Somebody with a decent amount of knowledge could do it fairly easily.
Bottom line, if there's info that you want to protect, then you need to put in mechanisms to protect it. Hoping that people won't try to break your security is naive, because they will.
-
01-11-2005, 09:34 AM #4Web Hosting Master
- Join Date
- Jun 2004
- Posts
- 789
Originally posted by DennisCitus
I am wondering too.
Not only how easy can you sniff such data, but WHO can sniff such data?
All routers and servers used to transit this data?
-
01-11-2005, 10:40 AM #5Web Hosting Master
- Join Date
- Apr 2003
- Location
- UK
- Posts
- 2,569
alternatively, if you're on the same hub/switch its possible too..
If the data is transferred in plaintext then its readable
-
01-11-2005, 10:54 AM #6Aspiring Evangelist
- Join Date
- Dec 2004
- Posts
- 350
The above has been well stated.
I would only like to add, if the information is sensitive, you're doing yourself, your business, and your client base a dis-service not enabling "https" as this would encrypt the data being passed
*NOTE* https don't not mean you're 100% safe, though you are compared to how data's currently being passed
Just my 2 cents
-
01-11-2005, 10:55 AM #7Junior Guru Wannabe
- Join Date
- Dec 2004
- Location
- Back side of the Moon
- Posts
- 39
people, please...
SSL CErts can cost as low as 30.00 a year for 128 bit Encryption.
Once you have it you can call login and contact forms and all data is encryped - which only adds to the consumer feeling at ease with your service.
It truly is a no brainer.
my 2 cents...
-
01-11-2005, 11:00 AM #8Aspiring Evangelist
- Join Date
- Dec 2004
- Posts
- 350
Originally posted by wilcorp
people, please...
SSL CErts can cost as low as 30.00 a year for 128 bit Encryption.
Once you have it you can call login and contact forms and all data is encryped - which only adds to the consumer feeling at ease with your service.
It truly is a no brainer.
my 2 cents...
-
01-11-2005, 11:09 AM #9Junior Guru Wannabe
- Join Date
- Dec 2004
- Location
- Back side of the Moon
- Posts
- 39
well anything FREE comes with a Signiture or some tracking code or some bullpoop like that, remember there are also different grades of the same Certificate.
A 30.00 Cert. is about the minimum I would use, I do put them on clients sites, but for my own projects i opt for a little more name brand and I do pay for it, but they come with the extra insurance to help recover with should something go wrong.
It is important to know that a free Cert will not come with much support and this can be frustrating should the set-up process run into a snag.
my take, just use a reseller of the recognized name brand Certs., they are always cheaper, then check with your Host, if you are your own host, great, but do some homework, because even if you go the FREE route, if your like me you time is generally not free.
my 2 cents...
-
01-11-2005, 11:18 AM #10Web Hosting Master
- Join Date
- Nov 2001
- Location
- Ann Arbor, MI
- Posts
- 2,979
Like bitfuzzy said, self signed certificates are free and don't have any tracking code. The only expense might be the IP address and paying someone to implement it.
-Mark Adams
www.bitserve.com - Secure Michigan web hosting for your business.
Only host still offering a full money back uptime guarantee and prorated refunds.
Offering advanced server management and security incident response!
-
01-11-2005, 11:19 AM #11Aspiring Evangelist
- Join Date
- Dec 2004
- Posts
- 350
Nah, I didn't meen freely available
I ment if he/she had the ability, and mod_ssl installed he/she could literly create his/her own cert, and sign it.
The only draw back is that visitors would need to accept it via a informational popup.
It typically takes 2-3 min to setup, though the first couple of times tend to take longer heh
-
01-11-2005, 11:20 AM #12Web Hosting Master
- Join Date
- Apr 2003
- Location
- UK
- Posts
- 2,569
gone off on a bit of a tangent here...
-
01-11-2005, 11:22 AM #13Junior Guru Wannabe
- Join Date
- Oct 2004
- Location
- Tampa, Florida
- Posts
- 80
Something else to note is to maintain good security on your site and server and follow good security policies and procedures. If someone gains access to your server (linux or windows) they can install free sniffer tools on your server or use the ones already there to capture all the userid/passwd's they want.
eWebtricity
Hosting | Web Design | Server Administration
http://www.ewebtricity.net | sales@ewebtricity.net
http://www.1and1faq.com 1and1 Customer Support
-
01-11-2005, 11:25 AM #14Junior Guru
- Join Date
- May 2003
- Posts
- 181
If you want to test this out on your own home network and have a linux box. I suggest trying dsniff and ethereal (ethereal has a windows verison too)
Ethereal is a real eye opener on a switched network
-
01-11-2005, 11:32 AM #15Web Hosting Master
- Join Date
- Apr 2003
- Location
- UK
- Posts
- 2,569
i always used to like ettercap
-
01-11-2005, 11:35 AM #16Junior Guru Wannabe
- Join Date
- Dec 2004
- Location
- Back side of the Moon
- Posts
- 39
Originally posted by bitfuzzy
Nah, I didn't meen freely available
I ment if he/she had the ability, and mod_ssl installed he/she could literly create his/her own cert, and sign it.
The only draw back is that visitors would need to accept it via a informational popup.
It typically takes 2-3 min to setup, though the first couple of times tend to take longer heh
ohhhh,
I missed that, I think that is an interesting method, I've seen it being done but never done it myself, your point about the drawback could not over stated, this is extremely important based on what your doing and who your client base it.
But if non of that matters, It's surely idea...l
You'll have to update from a name base domain account to an IP based, if your not the Admin. your Admin will like to charge you to do this but it seriously is a 5 minute account update.
Don't let them charge you, here is why, your Cert will only work on their server ( the server you bought it for ). That means if you move your operation to another server in the duration of your current Cert, you'll have to buy another CErt for the new server, old Cert will be invalid.
So tell your Admin you know this, and you know it ( sorta ) locks you into his / her server and for that ( benifit to him / 1 year client ) he needs to make the update at no charge. ( shouldn't take 5 / 10 minutes )
Generally they have to delete the first name based account to create the second IP based account, so you'll need good back-ups of your files and database ( if you use one ).
best of luck what ever you choose to do.
-
01-11-2005, 05:22 PM #17Web Hosting Master
- Join Date
- Jun 2004
- Posts
- 789
You should just spend the small amount of money for an SSL cert. If you've got sensitive data on there, protect it. If you're not going to, at least make your customers aware that you're not using any encryption.
-
01-11-2005, 05:40 PM #18Aspiring Evangelist
- Join Date
- Dec 2004
- Posts
- 350
Originally posted by wilcorp
your point about the drawback could not over stated, this is extremely important based on what your doing and who your client base it.
But if non of that matters, It's surely idea...
I've found that notifying visitors what the message is before they see it helps ease tention, I use them for E-Sales, and not many opt for alternate payment methods.
The only reason I use a self signed cert is because of the Verisgn cert nightmare a year ago, I'll never have a dependency on a outside service if it's within my control to provide it myself
-
01-11-2005, 11:13 PM #19Junior Guru Wannabe
- Join Date
- Feb 2002
- Posts
- 31
If someone gains access to your server (linux or windows) they can install free sniffer tools on your server or use the ones already there to capture all the userid/passwd's they want
What would you recommend?