I've come across a medical provider website that serves its pages over aspx. This provider has new client forms within this same aspx page. I contacted the vendor that built the website asking why they aren't using https. They assured me they are using https encryption within the iframes.
My question: Is this response total BS?
It seems to me that a very simple way to hack this website would be to spoof the site using my own aspx page that redirects over to me. Without https, the browser has no idea of the security, so nobody would be able to tell if they were on my website or the actual one.
This is all HIPAA protected info (in the US) that's transmitted, so there are laws about how it must be protected. It seems that the contractor is being pretty negligent, but maybe I'm missing something.
FYI, I'm not posting the website on purpose because I don't want to invite hacking something I think is insecure.
Without knowing how the iframes are used, it's hard to assess the security issues the site may have.
But it sounds like they may gather the new clients info on insecure forms and then posting them to an https endpoint. As Troy Hunt explains in this article, this is not a secure practice.
Obviously as you already allude to, without https, a man-in-the-middle attack could easily post the complete form to an attacker site without the user knowing as the integrity and/or origin of the page are not guaranteed.
Even if they are serving the form in an iframe over https, if the containing page is served over http, the iframe can be replaced by a MiM attack.
Related
I've just put an ssl on a WP site and was wondering if all pages should be https, or just the key ones (checkout, etc).
It's about 1500 pages and posts. So going through and finding all non secure assets could take a while.
1) Is it worth making the whole site https?
2) Is the speed an issue these days (from the research I've been doing, it appears it's not so much of an issue anymore)
3) If only key pages are https, is it possible to make the links on the page http (ie After ordering on a secure page, the customer is redirected to a secure confirmation page. But let's say they then click through to the blog... the blog shows up as https... but because it has unsecure elements, it shows error messages in the browser. So, is it possible to click from a https page to a non https page.
(I am using the "Wordpress Https Plugin", which has a "Force SSL Exclusively" function, but, this causes problems with the shopping cart on there, so it can't be used.) Thanks
You kow, honestly, at this point if you're making any page secured with https -- which means you somehow deal with the cert issue -- just make them all. The performance hit is less noticeable if the first SSL/TLS handshake happens when first finding the landing page, and there aren't many advantages to sticking with HTTP.
Update
I guess that wasn't clear enough, or I Hm, I think I just got tl;dr on a one paragraph answer.
IF "you're going to use HTTPS at all"
THEN
"You might as well just use it everywhere."
ELSE
"Don't."
FI
Yes, you should definitely make your entire website https is you are able. However, mixing non-https content inside the same page will make most browsers give users warnings, which might confuse them into thinking your site has security problems.
Linking to non-https sites is not a problem, but using assets (javascript, css, images) from non-https sites is.
Unless your site is visited daily by millions of users, you probably shouldn't worry about the performance hit and make the whole thing https. Remember that nowadays Google takes https as a signal for better ranking your site, so it's good for SEO as well.
I have a Sign-In functionality implemented as a pop up. It appears in Landing page and Pop up is inside the markup of this page.
Landing page is not SSL enabled (Not https), but when the user tries to Sign In I want the passwords to be sent to the server via SSL.
What is the recommended approach to achive this?
The mix between http and https is not a good idea. Troy Hunt (among others) wrote an article showing how wrong things can get: 5 ways to implement HTTPS in an insufficient manner (and leak sensitive data).
See also HSTS, which is a good thing.
I was recently looking around at some of the features my current web host offers, and am now wondering about a few things. Even if you can only answer part of this, I appreciate any help you can provide.
I have a domain, mydomian.com, and the host offers shared SSL so I can use HTTPS by using this address https://mydomain.myhost.com. The SSL certificate is good for *.myhost.com.
I don't know a lot about SSL, but I'm assuming this means that the data between site users and ANY domain on myhost.com is encrypted. So was curious if this meant that if someone else on the same host as me somehow intercepted the data from my site would they be able to view it, since they would also have a https://theirdomain.myhost.com address, which uses the same SSL certificate? I may have no idea at all, and this was pretty much a guess.
If HTTPS is used on a login page, but after logging in the other pages are viewed over HTTP, is this a security issue?
Is there any way to show a web form via HTTP for bots like Google, but have real users redirected to the HTTPS version? Would be ideal if this could be done via .htaccess. I currently have some rewrite rules that redirect certain pages to HTTPS, but the rest as HTTP. So if a visitor visits the contact form they get the HTTPS version automatically, but it automatically switches back to HTTP for pages that don't contain forms. So, via htaccess, is there a way to direct real users to the HTTPS version, but have bots directed to the HTTP version? I would like these pages to still be indexed by the search engines, but would like users to see it via HTTPS.
Thanks in advance for any help you can provide.
I'm going to guess you'll be okay for number one. If your host does it correctly, individual subdomains never get to see the SSL keys. Here's how it would work:
Some guy with a browser sends an encrypted request to your subdomain server.
Your host's master server receives the request and decrypts it.
The master server sends the decrypted request to your subdomain server.
And any HTTPS responses you send back go through that process in reverse. It should be easy to check if they've set things up that way: If you can set up shared SSL without personally handling any key files, you're good. If you actually get your hands on some key files... not good.
For two: If you encrypt the login, you protect the passwords, which is good. But if you switch back to HTTP afterwards, you open yourself up to other attacks. See: Firesheep. There may be others.
And for three. Yes - definitely doable. Check out mod_rewrite. Can't give you an example, as I've never used this particular case, but I can point you to this page - particularly the section entitled "Browser Dependent Content."
Hope that helps!
Every traffic is encrypted, when you use https:// as protocol. (Except for some uncommon circumstances I won't talk about here). An SSL certificate's purpose is to prove the identity of the server, by combining it's public key with an identity. This certificate is only usable with the private key that belongs to the public one. In your case it seems that this certificate as well as the key-pair is provided by your hosting provider. I guess that neither you nor the other customers on the host have access to this private key. That means that only your provider is able to decrypt the traffic. Since that's always the case (he's running the server, so has access to every data), that should be no problem.
In most cases it is a security issue. On every further unencrypted http-request the client has to provide some information of the session to the server. These can be intercepted and used by an attacker. (simply speaking)
The bots should support https, why not redirect them? Anyhow: The important part is not to provide the page containing the form via https. To protect your user's data you should take care that the response is transferred via https.
What is common practice for coding web applications where part of the site has to be secured (e.g. checkout section) and part not necessarily, let's say homepage? As far as I know sharing sessions in between HTTP and HTTPS parts of the site is not easily possible (or is it?). What would be common approach if I wanted to display on HTTP page like homepage, shopping cart data (items) that users ordered on HTTPS pages? How those two parts of the site would communicate if necessary? Also isn't it security flaw in popular shopping carts as it seems that many of these have only checkout pages secured (SSL) and the rest not?
I'm using PHP if it makes any difference.
The simplest answer is to have all links to your "secure" pages link to https://. Obviously this can be somewhat of a nightmare depending on the site.
Another alternative is to set up URL rewrite rules to automatically direct secure pages to https:// if trying to access them via http://
Check out mod_rewrite for Apache if you are not familiar with the concept. Depending on what web server you are using there are other options available to achieve the same functionality, but that should give you an idea of what your options are. I assume since you're using PHP that you're using Apache, but could not be the case?
I would say that is probably the most common approach. If all of the secure pages reside in a given directory, that makes it even easier as you can write rules to say that everything in that directory must be requested via https://, otherwise http:// is suitable.
Its pretty common practice to use cookies to store cart data throughout a site. Security isn't an issue because you only care about your credit card data going over the wire. The list of things I want to buy isn't particularly sensitive.
I can tell you what I did for an ecommerce site I created from scratch. His whole site is HTTP, which includes checking out with a check (ie they fill in their info, an invoice is generated and a check is snail mailed to the seller). But, the credit card processing is done on Paypal's side, which is HTTPS. But, in order to get the cart data to Paypal I used hidden post elements, and Paypal did the rest.
Not the greatest system, but it works.
If I am on a website#1, and I enter my username/pwd for website#2 on a login page that is on website#1, and website#1, behind the scenes, makes a httpwebrequest to website#2 and posts to the login page. If I then navigate to website#2, should I be logged in?
website#2 uses formsauthentication and I call a httpHandler that is on website#2 and pass it the username/password via the querystring.
Should this work?
What you're trying to do is called Single Signon. The way you're doing it, posting values from one site to another, probably won't work because you're using the same technique a hacker might use to trick user into sharing their login information. It's called a cross-site request forgery attack. IIS is configured not to allow that.
Generally, you need a central authentication system that both sites use to share login information. This can be done in several ways, including a shared database-based login system. Google "asp.net single sign on" for more ideas.
Do site #1 and #2 want their users to have single sign on?
If so, read up on single sign on. It's a bigger project than can be addressed here. There is a good book on it though from Wrox :
http://www.amazon.com/Professional-ASP-NET-Security-Membership-Management/dp/0764596985/ref=cm_lmf_tit_10
Or are we imagining something sinister?
If we are imagining something sinister, then evil site #1 would collect the credentials, then automate a browser on the server side to start checking to see if site #2 uses the same password and user combination. Then the server would have an authenticated session. This wouldn't give the user who accessed site #1 an auth cookie, the HttpWebRequest object on the server would get the auth cookie. Site #2 couldn't really do anything to prevent this because a browser request from one computer looks much alike a browser request from another. A well crafted attack would spoof all elements of the browser's request so that it looks like it came from a browser instead of a primitative HttpWebRequest object, which may not even set the user-agent.
Site #2 should stop using passwords and user Id or use 2 factor ID if they are concerned abut this, or do something that requires javascript for logon because spoofing a browser that is executing javascript is harder than spoofing a browser that just sends and receives http requests and responses.
There are too many security issues trying to auto-authenticate between sites. There needs to be a central security provider that both sites belong to so that hand off is completed securely.
We use CA's Siteminder for cross site authentication. Effectively, web 1 creates a unique session id on the siteminder server and passes any credentials and info to it. Siteminder invokes web2 and passes the information by means of session variables. Web 2 retrieves the data from the session and uses it. There's much more going on there but that's the just of it.
To do something like this, I would strongly consider using an out of the box solution as generally coding up custom security generally falls short.
While this can be done on some cases, in the form of an HTTP request with POST parameters, you will not be authenticated once you browse to site #2.
This is because, generally, these sites store a cookie on your end and these are domain-based, which means that even if you grabbed that and stored it yourself from site #1, the cookie name would not match site #2.
Additionally, site #2 may not be easy to authenticate against and this is usually a security concern that developers are aware of. This can be considered an attempt of XSS as well.
In case you're simply doing this for yourself, I'd recommend LastPass and save most of your info in it.
Please reconsider your goals and how to achieve them, this is not the way.
Edit: Link text.
This could work, depending on the security measures in place on website #2. For a secure website, this would fail.
I would recommend against this purely on the basis of good security and good coding/design practices.
If you are unclear what security measures stop this, you should probably educate yourself so you can prevent the same issues on your own site. See http://www.owasp.org/index.php/Top_10_2007
Since both your sites are using FormsAuthentication you can easily configure both of them to share FormsAuthentication encryption schemes.
This will allow you to do Cross Application Authentication automatically :)