I want to set up some basic web server protection to protect against replay attacks and data manipulation hacks.
At the moment, I make a REST request from the client (android) side such as:
http://www.example.com/add_book.php?user_name=eddy&nonce=534365756756&book_title=My%20First%20Book
Here, I am using a nonce that will be stored against the user's id and checked for duplicate requests. However, in this unencrypted system someone can simply insert their own (random) nonce. What I want do is convert the above request to something along the lines of:
http://www.example.com/add_book.php?fsjdfhdhsjfhdsjf538537854rj34i5348ur4rf4r3g4yrg4y32210dfsdjfsdhfjshru99jifjknjsdfnfjsfhuruwe
that can be unencrypted server side to the equivalent unencrypted URL so the parameters can be accessed with $_GET['book_title'] (like in the usual manner).
In the ideal world, the request itself could be encrypted with the user's hashed password as an easy way to certify the user is who they say they are.
I'm not really prepared to pay for an HTTPS certificate at this stage so that's not really an option.
Does anyone know how I can do this? My requests are plain text atm so are incredibly vulnerable.
Thanks.
Android encrypting URL parameters and values and decrypting server side
Don't encrypt URL parameters!
I want to set up some basic web server protection to protect against replay attacks and data manipulation hacks.
If you're trying to stop someone on the network from intercepting plaintext HTTP requests and manipulating them maliciously, HTTPS is the only solution you have.
If you're trying to stop a local user from doing the same, rethink the security model of your application.
I'm not really prepared to pay for an HTTPS certificate at this stage so that's not really an option.
You don't have to pay anything for HTTPS. It's free!
If you're using a hosting provider that makes it difficult to get HTTPS for free, set up a cheap VPS (LowEndBox, DigitalOcean droplets, etc.) and stop giving them your business. They'll adapt or die.
Related
I have a PHP page on my SSL server which acts as a REST API effectively. What I need to do is take the unencrypted password from a different domain and POST to my page. After this, the server returns the encrypted data in JSON. I do this with my current website as a POST from the same domain is completely secure but I am not sure about from a different domain? Is there any way a hacker can intercept the POST data before it is encrypted?
Thanks
Kabeer
I didn't comprehend what you're describing in your question, but as for your title:
Is posting unencrypted passwords to an HTTPS server unsafe?
No, it is completely safe. Millions of websites do this every day via their login forms.
If you are receiving the POST data via HTTPS, then it is encrypted in transit and not easily intercepted. It is encrypted using a shared symmetric key between the client and the server, so that only they can decrypt each other's messages.
See How exactly HTTPS (ssl) works
I wouldn't say it is safe, but I would agree that it is fairly common to pass unencrypted user/pass and only depend on TLS/SSL...
TLS/SSL has been compromised a few times over the last couple of years, so depending entirely on it can involve risk.
I have created web service for android in PHP that uses GET method. Now I want to convert it to POST, to make it more secure. How to convert the application from GET to POST? Is there any other way to make it more secure?
The answer depends on who you want to secure it from. Assuming that you want to protect from network sniffers, SSL is your best option.
POST is the weakest form of "security" you could suggest. All it does it prevent the parameters being visible in a browser's cache history (which doesn't affect you at all in this case) and make it a fraction harder to sniff the parameters over the network (which does affect you). So there's minor benefit (yes, it's worth it), but it's not secure at all.
The simplest solution is to POST using SSL. In other words, as opposed to posting to "http://example.com" you should post to "https://example.com" with a valid certificate on the server. That will encrypt the traffic between device and server. Google for suggestions, or start Secure HTTP Post in Android
Failing that, you could encrypt the data yourself and then send the encrypted query openly as only your server can decrypt it. A little bit of Googling will give you code on how to encrypt in one and decrypt in the other securely - but as a small warning, getting it to work can be frustrating as it won't work until it suddenly does... there's not much debugging you can do when it doesn't work!
I building a service which be served via https.
I would like to know if password (or any specific key) transmitted in curl option CURLOPT_USERPWD are safe when data is "over the wire" ?
ALL data send via HTTPS is encrypted. This means that it is very difficult (but not impossible) for anyone between the server and the client to view the raw data of the request.
If you want to fully understand the potential ramifications of using HTTP basic auth, you should fully understand how it works.
Since HTTP is a plain text protocol, it is very insecure. HTTPS is simply HTTP using an encrypted socket - which means that the request/response format itself is completely unchanged. If you can view the plain-text version of the request, you can glean from it whatever information you like. But, using SSL/TLS makes it very difficult to view the plain-text version.
HTTP Basic auth is inherently vulnerable to man-in-the-middle attacks and should never be used over an unencrypted connection, but using HTTPS makes it fairly safe. The only consideration is that the server will be able to view the password in plain text - if you don't want this to happen, you should use Digest auth, HTTPS or otherwise.
Yes, the password won't be visible, because it is sent encrypted over the network, but most probably (not completely sure), the script that runs on the target website (the service in your case), will be able to see your password.
I want to secure the login page on my blog when my browser sends my password to the server (http) as I don't want anyone to steal it.
How would you do it?
As far as I am aware the only real way to do it from a production perspective would be to use javascript to encrypt the data sent in the form and then decrypt it at the other end.
There appear to be a couple of JS classes for this purpose, e.g. http://www.jcryption.org/
jCryption uses the public-key algorithm of RSA for the encryption.
Then a third party packet sniffer would have to know the decryption key to be able to do anything with the data.
I would recommend using SSL for all login's though! Personally I tunnel all my traffic over a VPN so I know it is slighty safer when in public places.
You could only allow the use of the login page over an SSH tunnel ;) However I think SSL is then much less burdensome.
The javascript suggestions I don't know what I should think about those. The key must be shared between client and server so this needs a secure key-exchange as well. That's not trivial at all and I suspect that only very few really good libraries for that are around. The basic suggestion to "encrypt" something with javascript will most certainly just fail.
Use JS to perform RSA. Encrypted it before posting it to the server. Then decrypt it when reach the server
If you ask me, I won't use non-SSL encrypted logins. As soon as sessions are involved I switch to SSL as session stealing without SSL is just too easy. Also SSL allows me to protect my pages with Basic-Auth, so I do not even need a session.
So perhaps best is to consider switching your Blog to SSL entirely. Note that for using SSL on your server you just need an SSL certificate. There is a company out there which offers a free ssl certificate for 0$ per year. Also note that Google and all major search engines can handle https pages without trouble.
I skip the 1000 lines of answer how to implement your own secure password scheme using JavaScript and AJAX over insecure lines, because this is difficult to implement.
Two options how to securely login without JavaScript and without SSL come into my mind:
There is a cheap one time password USB device out there. You just plug it into the USB port, press the button, it creates an OTP and here you go. As it is an OTP it only is valid a single time, so no replay and no problem when it is sniffed.
The other thing is OpenID which is used here on stackoverflow. OpenID does not need SSL between server and client. Note that this USB token above already is OpenID enabled as well.
Both ways offer trainloads of free libraries to implement it using PHP or other languages. It certainly is easier to implement than to create a properly designed and secure password scheme yourself over insecure lines.
One big caveat, however:
If you use sessions over insecure lines, and logins ususally use sessions, be sure to protect the session at least by the IP seen. This must be implemented on the server side. This way, if somebody steals the session Cookie the session cannot be (ab)used, provided that the thief does not share the same wLAN (or computer) as you.
I roamed the site for this question using the search engine, and I don't think it's out there. If it is, apologies in advance and feel free to point me to it.
Here is my scenario:
I am setting up a web application, Moodle if anyone is familiar with it, with Apache, MySQL, and php on Windows. Moodle supports enabling SSL for login, but then reverts to regular http after login is established. This is running on an internal network with no connection to the outside world, so no Internet access through this network. All users who use the network have logins, however there are some generic guest type logins with certain restricted privilages. Currently the MySQL database is not encrypted.
My question is this:
If my users do an SSL login, and the system then reverts back to http for the remainder of their session, how vulnerable is the data that is transferred back and forth between the browser interface and the database?
I would perhaps prefer to have all the data encrypted, but I am not sure how bad the performance hit would be to do that, so any suggestions concerning that would be appreciated too. Although I will be extending the functionality in Moodle, I don't necessarily want to have to change it to encrypt everything if already does.
I am new to the world of IT security, and my DBA skills are rusty, so if you give me an answer, type slowly so I can understand! ;)
Thanks in advance!
Carvell
A few things.
The fact that the data in the DB server is not encrypted in no way is a factor in the communication between the User and the Web Server. It is a concern obviously for communications between the web server and the database server.
Your risk point between user and web server is in that packets could be sniffed if a person was able to interject in the middle of the communication chain. However, this risk is mitigated by the fact that your on an internal network.
Therefore, unless you are VERY concerned about the other people in your organization, you are more than likely ok. However, if it is really sensitive data, you might do ALL communications via SSL to ensure that it is transmitted securely. IF you are this concerned, then I would also look at the security of the DB and the communications from DB to webserver.
My concern would be how your authenticated sessions are propagated.
Generally a session works by setting a cookie or appending a session id to any URLs presented by the web site. Once a log-in has been established, often the credentials aren't needed any more, as a session is then linked to the user and deemed to be authenticated, and the existence of the session itself is proof of a successful authentication.
However, as previous posters have mentioned, local network traffic can be available for sniffing. If someone sniffed a session id, they could recreate the cookie or urls using the session id, and simply access the site as that session user, even changing the user's password if that option was available.
I would say that your decision here rests on the security of your sessions. If you have some mitigating factors in place to make sessions difficult to replicate even if a session id is compromised (ie. comparison to ip addresses, etc), or your user accounts are relatively secure from a compromised session (eg. require current password to change account settings), then perhaps SSL after login isn't required. However, if you have doubts and can afford the performance hit, then having SSL throughout the site will guarantee that your sessions can't be compromised (as far as you can guarantee SSL, anyway).
With no internet access to this network, the only thing that could potentially happen is someone else (who is already on the internal network) snooping on another user's HTTP traffic. If someone were to actually do that, and you aren't using SSL, they could read all the data that your website is sending/receiving from that user. But is that actually a concern?
Since you are on an internal network turning on SSL for the whole site should not be that bad performance wise, although it is probably unneccesary.
At the very least, you should encrypt the data in your database.
All sensitive data should be encrypted when transferred over an insecure wire. If you just transfer login details over SSL, all your data is still vulnerable to eavesdropping.
Since the data's not encrypted, anybody with sufficient network access (i.e. physical access) can read the data passing back and forth from server to browser and back. As long as everyone who has physical access to the network also has authorization to read the data, you're probably alright. If any of the information is sensitive, and should be restricted to being viewed by a subset of people who have physical access to the network, then you need to encrypt it.
Anyone on your network would be able to see everyone else's traffic with a network packet sniffer like WireShark. The connection between your web server and MySQL is also in cleartext. MySQL may not actually send passwords in cleartext; it may be a hash, for instance.
If you are really trying to be paranoid, you may not need to run your app over HTTPS. There are other lower-level possibilities like IPSec. Since this is an internal network, you can probably get away with implementing this on all workstations.
Not much to add to the above correct responses. But, one think you can do is use a Threat Modeling tool for your application. That will inform you on the types of threats you are exposing your data to by not using transport level encryption (TLS/SSL). Once you understand the threats, you can decide on an appropriate risk mitigation plan.