Results 1 to 19 of 19
  1. #1
    Join Date
    Jun 2001
    Posts
    747

    How easy is it to sniff usernames/passwords on a website?

    Hello,

    Firstly, I am not a "hacker" or anything like that. I'm just being paranoid.

    I have set up a seperate (online, web-based) business which will contain lots of reasonably important customer information (although no payment/credit card type information.)

    The customers log into the site using typical username/password textboxes. The login does NOT use https.

    The administrators also use the same login system when logging in.

    How easy would it be for someone to sniff the administrator username & password?

    If possible, I'd like to try it myself.

    Any information appreciated.

    Thanks,
    Steve

  2. #2
    Join Date
    Nov 2003
    Location
    TeleCity 2, Amsterdam
    Posts
    62
    I am wondering too.

    Not only how easy can you sniff such data, but WHO can sniff such data?

    All routers and servers used to transit this data?
    Citus.nl - Dedicated Servers in The Netherlands
    http://www.citus.nl - info@citus.nl

  3. #3
    It's not the easiest thing in the world. You have to be in between the client and the webserver for this. Meaning that the packets have to go through your machine (or one you have access to) en route to the server. But if you can get onto the route, then it's pretty simple if it's all being sent in clear-text. Somebody with a decent amount of knowledge could do it fairly easily.

    Bottom line, if there's info that you want to protect, then you need to put in mechanisms to protect it. Hoping that people won't try to break your security is naive, because they will.

  4. #4
    Originally posted by DennisCitus
    I am wondering too.

    Not only how easy can you sniff such data, but WHO can sniff such data?

    All routers and servers used to transit this data?
    Correct - if the packets come through you at any point, you can sniff the data.

  5. #5
    Join Date
    Apr 2003
    Location
    UK
    Posts
    2,569
    alternatively, if you're on the same hub/switch its possible too..

    If the data is transferred in plaintext then its readable

  6. #6
    Join Date
    Dec 2004
    Posts
    350
    The above has been well stated.

    I would only like to add, if the information is sensitive, you're doing yourself, your business, and your client base a dis-service not enabling "https" as this would encrypt the data being passed

    *NOTE* https don't not mean you're 100% safe, though you are compared to how data's currently being passed

    Just my 2 cents

  7. #7
    Join Date
    Dec 2004
    Location
    Back side of the Moon
    Posts
    39
    people, please...

    SSL CErts can cost as low as 30.00 a year for 128 bit Encryption.

    Once you have it you can call login and contact forms and all data is encryped - which only adds to the consumer feeling at ease with your service.

    It truly is a no brainer.

    my 2 cents...

  8. #8
    Join Date
    Dec 2004
    Posts
    350
    Originally posted by wilcorp
    people, please...

    SSL CErts can cost as low as 30.00 a year for 128 bit Encryption.

    Once you have it you can call login and contact forms and all data is encryped - which only adds to the consumer feeling at ease with your service.

    It truly is a no brainer.

    my 2 cents...
    FREE even if you have the ability to sign your own

  9. #9
    Join Date
    Dec 2004
    Location
    Back side of the Moon
    Posts
    39
    well anything FREE comes with a Signiture or some tracking code or some bullpoop like that, remember there are also different grades of the same Certificate.

    A 30.00 Cert. is about the minimum I would use, I do put them on clients sites, but for my own projects i opt for a little more name brand and I do pay for it, but they come with the extra insurance to help recover with should something go wrong.

    It is important to know that a free Cert will not come with much support and this can be frustrating should the set-up process run into a snag.

    my take, just use a reseller of the recognized name brand Certs., they are always cheaper, then check with your Host, if you are your own host, great, but do some homework, because even if you go the FREE route, if your like me you time is generally not free.

    my 2 cents...

  10. #10
    Join Date
    Nov 2001
    Location
    Ann Arbor, MI
    Posts
    2,979
    Like bitfuzzy said, self signed certificates are free and don't have any tracking code. The only expense might be the IP address and paying someone to implement it.
    -Mark Adams
    www.bitserve.com - Secure Michigan web hosting for your business.
    Only host still offering a full money back uptime guarantee and prorated refunds.
    Offering advanced server management and security incident response!

  11. #11
    Join Date
    Dec 2004
    Posts
    350
    Nah, I didn't meen freely available

    I ment if he/she had the ability, and mod_ssl installed he/she could literly create his/her own cert, and sign it.

    The only draw back is that visitors would need to accept it via a informational popup.

    It typically takes 2-3 min to setup, though the first couple of times tend to take longer heh

  12. #12
    Join Date
    Apr 2003
    Location
    UK
    Posts
    2,569
    gone off on a bit of a tangent here...

  13. #13
    Join Date
    Oct 2004
    Location
    Tampa, Florida
    Posts
    80
    Something else to note is to maintain good security on your site and server and follow good security policies and procedures. If someone gains access to your server (linux or windows) they can install free sniffer tools on your server or use the ones already there to capture all the userid/passwd's they want.
    eWebtricity
    Hosting | Web Design | Server Administration
    http://www.ewebtricity.net | sales@ewebtricity.net
    http://www.1and1faq.com 1and1 Customer Support

  14. #14
    If you want to test this out on your own home network and have a linux box. I suggest trying dsniff and ethereal (ethereal has a windows verison too)

    Ethereal is a real eye opener on a switched network

  15. #15
    Join Date
    Apr 2003
    Location
    UK
    Posts
    2,569
    i always used to like ettercap

  16. #16
    Join Date
    Dec 2004
    Location
    Back side of the Moon
    Posts
    39
    Originally posted by bitfuzzy
    Nah, I didn't meen freely available

    I ment if he/she had the ability, and mod_ssl installed he/she could literly create his/her own cert, and sign it.

    The only draw back is that visitors would need to accept it via a informational popup.

    It typically takes 2-3 min to setup, though the first couple of times tend to take longer heh

    ohhhh,

    I missed that, I think that is an interesting method, I've seen it being done but never done it myself, your point about the drawback could not over stated, this is extremely important based on what your doing and who your client base it.

    But if non of that matters, It's surely idea...l

    You'll have to update from a name base domain account to an IP based, if your not the Admin. your Admin will like to charge you to do this but it seriously is a 5 minute account update.

    Don't let them charge you, here is why, your Cert will only work on their server ( the server you bought it for ). That means if you move your operation to another server in the duration of your current Cert, you'll have to buy another CErt for the new server, old Cert will be invalid.

    So tell your Admin you know this, and you know it ( sorta ) locks you into his / her server and for that ( benifit to him / 1 year client ) he needs to make the update at no charge. ( shouldn't take 5 / 10 minutes )

    Generally they have to delete the first name based account to create the second IP based account, so you'll need good back-ups of your files and database ( if you use one ).

    best of luck what ever you choose to do.

  17. #17
    You should just spend the small amount of money for an SSL cert. If you've got sensitive data on there, protect it. If you're not going to, at least make your customers aware that you're not using any encryption.

  18. #18
    Join Date
    Dec 2004
    Posts
    350
    Originally posted by wilcorp
    your point about the drawback could not over stated, this is extremely important based on what your doing and who your client base it.

    But if non of that matters, It's surely idea...
    Not at all, you still get 128 bit encryption, is just that the Certificate of Authority (in this case you) hasn't been setup in the browser as a authenticated Authority, thus the user has to manualy accept your cert.

    I've found that notifying visitors what the message is before they see it helps ease tention, I use them for E-Sales, and not many opt for alternate payment methods.

    The only reason I use a self signed cert is because of the Verisgn cert nightmare a year ago, I'll never have a dependency on a outside service if it's within my control to provide it myself

  19. #19
    Join Date
    Feb 2002
    Posts
    31
    If someone gains access to your server (linux or windows) they can install free sniffer tools on your server or use the ones already there to capture all the userid/passwd's they want
    Well.. if this happens... is there a way to find and destroy such SNIFFER TOOLS?

    What would you recommend?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •