2010/11/12 14:23:00
|
---|
|
Concerns about the use and lack of use of HTTPS with ICMSHi all
I've received an e-mail from a member of my website as follows : Just noticed that the login page (even when viewed over HTTPS) actually sends the login traffic in-the-clear over the internet. The actual HTML code fragment of relevance is:
<form style="margin-top: 0px;" action="http://www.mysite.com/user.php" method="post">
Again, with my security hat on, that's horribly bad practice. We'd normally recommend that login pages are viewable over HTTP - but that the actual form submission posts over HTTPS. Post-login, all traffic should be sent over HTTPS - to prevent interception of session cookies. This is not something that has not been on my 'To Do' list, and his e-mail has motivated me to try and look into this. I do have https available on my server, and the secure login page does use the https protocol, but a) is the claim that even then the login is sent clear true and if so, why? b) how easy is it to make the whole site, by default, use the https port rather than http? And, 3) what potential issues are there by doing this? Ta Ted |
2010/11/12 17:06:30
|
---|
|
Re: Concerns about the use and lack of use of HTTPS with ICMSIn the extras folder of the package you will see the files needed to convert the site to use https for all login procedures.
Then in preferences you just toggle on "use ssl for login" |
2010/11/12 18:06:49
|
---|
|
Re: Concerns about the use and lack of use of HTTPS with ICMSThis just got a bit more scary because of the release of Firesheep, an add-on for Firefox that sniffs cookies on open wireless networks. It lets you see who is logged into what on the network and hijack their session with one click, no skill required.
It affects any site not using SSL (eg Facebook, Twitter etc). It also affects sites that drop back out of SSL after login has taken place (eg. Amazon, and which is how Impress works I think). There's a good Security Now podcast on Firesheep (skip to last half hour) or have a look at this blog post. Basically he's saying this will probably force all the big players to move to full time SSL. See also Aph3x's thread on setting up Impress under SSL. |
2010/11/13 7:13:39
|
---|
|
Re: Concerns about the use and lack of use of HTTPS with ICMSthe session id is regenerated, also in 1.3 the session cookie key will also be tied to the users IP, browser agent, browser language. if any of those are different, then you'll have to login again.
i also did plan on trying to use private key pairs, where you upload your public key to the site, or have the site connect to a keyserver to retrieve your public key.. then unless you have the private key on your pc, your authentication will fail. think of pgp encryption methods. |
_________________
Live as if you were to die tomorrow, Learn as if you were to live forever The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together! |
2010/11/13 16:48:16
|
---|
|
Re: Concerns about the use and lack of use of HTTPS with ICMSWill - I will look into that extra file - I didn't realise it was potentially that easy.
Vaughn - cool stuff. All - in order that I can reply to any potential concerns by members of the club for which the website represents, can I check the original question which was : though the login page of https is encrypted itself, is the login password actually sent in plain text across the Internet, or not? I assumed it was not as this is a big problem for our users if using an open wireless Internet cafe or something. Ta Ted |
2010/11/14 2:11:10
|
---|
|
Re: Concerns about the use and lack of use of HTTPS with ICMSIf the login page is viewed over https the password is not sent in the clear and a casual eavesdropper can't get it.
|
2010/11/14 2:44:14
|
---|
|
Re: Concerns about the use and lack of use of HTTPS with ICMSnever tested, but i would think so. you could test that if you have a site on a test pc at home, and then access the site on the lan from a laptop or something whilst using a network packet monitoring tool such as ethereal or something.
if it is, then it only leaves 2 options as far as i can figure. 1. you use SSL over https. 2. you design a client authentication system that a user installs onto his/her pc which then encrypts the password and user data before it is sent by the browser, so you are only transmitting the pw in a hashed form, or encrypted form and the web server then decrypts it before authentication. such a system could be done. |
_________________
Live as if you were to die tomorrow, Learn as if you were to live forever The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together! |
2010/11/14 3:02:32
|
---|
|
Re: Concerns about the use and lack of use of HTTPS with ICMSAs long as the form action goes to a https destination, the password is encrypted. Otherwise not. From what I can see in #1 I would say that the password is send in plain format even though the page is displayed via https.
|
2010/11/14 6:29:59
|
---|
|
Re: Concerns about the use and lack of use of HTTPS with ICMS1 thing i did adjust in version 1.1, is that when using https protocol, the session cookie is set to secure mode, so in a sense, if you are using https, the cookie will only be sent over https, it will fail if you try to retrieve the cookie via http
|
_________________
Live as if you were to die tomorrow, Learn as if you were to live forever The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together! |
2010/11/14 16:28:49
|
---|
|
Re: Concerns about the use and lack of use of HTTPS with ICMSI would have to agree with your user and with Phoenyx - if the target of the form is on the http protocol, the username and password are sent in plain text.
However, if you are using login.php distributed with ImpressCMS, found in extras/ssl, the form action is just 'login.php', which when the page is loaded, will inherit the protocol used to load the page. |
2010/11/15 5:22:30
|
---|
|
Re: Concerns about the use and lack of use of HTTPS with ICMSYeah, I will implement that extra login file ASAP.
I assume that as I have https on my server already, I could just change the physcial path details in mainfile to start with https instead of http? That way, all web page activity will be over https protecting pages that may contain sensitive data if a user is accessing the site in a cafe or something? In summary, if I adjust path to https and install the extras\ssl login.php file, my whole site will be over https, correct? |
2010/11/15 6:44:52
|
---|
|
Re: Concerns about the use and lack of use of HTTPS with ICMSYou need to have an SSL certificate installed on the server. If you are using shared webhosting, quite often they have a shared certificate already installed but you may need to look around to find the details.
To be fully SSL, you can't be pulling resources (eg. images, scripts) from external sites. It's all got to be local or the user will get warning messages (they might not actually be of any security significance, but its ugly and undermines confidence). Lastly, you also need to find a way to stop people accessing your site via http:// ... that's the bit I haven't worked out yet, although aph3x aparrently has, where is he ?? :) |
2010/11/15 7:58:00
|
---|
|
Re: Concerns about the use and lack of use of HTTPS with ICMSQuote:
Got one of those. It's a dedicated server so I can install my own certificates or generate my own. I trying to buy one properly. |
2010/11/15 9:54:50
|
---|
|
Re: Concerns about the use and lack of use of HTTPS with ICMSQuote:
You can do that via .htaccess |
2010/11/15 15:11:27
|
---|
|
Re: Concerns about the use and lack of use of HTTPS with ICMSI run a Windows server though - correct me if I am wrong, but .htaccess files don't work on WindoZe? Is there another or different way?
|
2010/11/15 16:53:07
|
---|
|
Re: Concerns about the use and lack of use of HTTPS with ICMSQuote:
Here's the code from Erol Quote:
This apparently will redirect people to the https location, and also ensure that the url starts with www. |
2010/11/15 16:59:31
|
---|
|
Re: Concerns about the use and lack of use of HTTPS with ICMSQuote:
I'm here is just a CMS doesn't attracts me that much especially where people's idea of thinking outside the box is with another box over their head. But that's just me, you guys have fun |
_________________
So you made great theme yeah that's nice, now let me see ya do the same thing twice, 3times 4times and a couple of mo' times/Please, you're Amateur Night, it's Showtime |
2010/11/15 20:59:00
|
---|
|
Re: Concerns about the use and lack of use of HTTPS with ICMSCool ok now have it working, thanks. Will be moving everything to https and staying there.
|
2010/11/15 23:41:47
|
---|
|
Re: Concerns about the use and lack of use of HTTPS with ICMSThere is a similar system on microsoft webPI. I believe it can even import apache .htaccess files.
Marcan is in Seattle right now, doing a Microsoft seminar. You could ask him with a tweet. |
_________________
|
2010/11/16 0:54:27
|
---|
|
Re: Concerns about the use and lack of use of HTTPS with ICMSHi Ted, I believe you can setup web.config in IIS to do the same.
http://www.isapirewrite.com/ should give you all the info on isapi_rewrite http://www.15seconds.com/issue/020220.htm will explain a bit more about webconfig. also try the isapi_rewrite mod for IIS, it allows you to use htaccess. |
_________________
Live as if you were to die tomorrow, Learn as if you were to live forever The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together! |