I building a service which be served via https.
I would like to know if password (or any specific key) transmitted in curl option CURLOPT_USERPWD are safe when data is "over the wire" ?
ALL data send via HTTPS is encrypted. This means that it is very difficult (but not impossible) for anyone between the server and the client to view the raw data of the request.
If you want to fully understand the potential ramifications of using HTTP basic auth, you should fully understand how it works.
Since HTTP is a plain text protocol, it is very insecure. HTTPS is simply HTTP using an encrypted socket - which means that the request/response format itself is completely unchanged. If you can view the plain-text version of the request, you can glean from it whatever information you like. But, using SSL/TLS makes it very difficult to view the plain-text version.
HTTP Basic auth is inherently vulnerable to man-in-the-middle attacks and should never be used over an unencrypted connection, but using HTTPS makes it fairly safe. The only consideration is that the server will be able to view the password in plain text - if you don't want this to happen, you should use Digest auth, HTTPS or otherwise.
Yes, the password won't be visible, because it is sent encrypted over the network, but most probably (not completely sure), the script that runs on the target website (the service in your case), will be able to see your password.
Related
I am creating a simple PHP application which uses JQuery and AJAX to call (GET method) a PHP script with some parameters; username and password. The application uses SSL.
When tracing the request in Google Chrome Developer tools, I see the following request URL:
https://application.com/php/login.php?username=John&password=Simple1234
I used WireShark to make sure the parameters are encrypted when sending the request, and I don't see any obvious request-headers.
Just to be a 100% sure. Does SSL also encrypt parameters which are included in the header and am I doing this the right way? I found some duplicate questions about this topic, but none of them had a specific example.
Yes but it is a bad idea to use $_GET for such sensitiv data.
This data would be saved in the server logs
This data would be saved in the browser cache
Even Screenshots taken while the login process could contain this data
Also even if the data is encrypted it is still "availble" and could be decrypted.
Use $_POST instead.
This article will show the risks:
https://blog.httpwatch.com/2009/02/20/how-secure-are-query-strings-over-https/
The fact that it is PHP or AJAX does not matter here.
The only thing that matters is the URL: is it https:// or http://?
If it is https:// since it means it is HTTPS(!) which means in summary HTTP inside TLS (SSL is dead since 20 years, its successor is TLS).
TLS encrypts everything (it does other things too but here we discuss only confidentiality needs), if implemented and configured correctly (I want to emphasize that because it is not a silver bullet, putting a sticker "TLS" is not enough, for example there is the whole issue of certificates verification, as authentication may be deemed more important that confidentiality in fact, because what do you gain if you encrypt everything towards an endpoint you are not 100% sure it is the valid one?)
What you see in the URL is part of the HTTP protocol. The URL will be inside the HTTP stream as GET /php/login.php?..., just before other headers. Same if using other HTTP methods. Since it is inside HTTP, it is inside TLS, hence encrypted.
The only thing visible by a passive monitor will be the domain name (both for DNS queries before the HTTPS connection - DNS over HTTPS/TLS solves that - and because of the SNI extension at the beginning of the TLS handshake - and encrypted SNI, still being designed, will solve that).
I have a PHP page on my SSL server which acts as a REST API effectively. What I need to do is take the unencrypted password from a different domain and POST to my page. After this, the server returns the encrypted data in JSON. I do this with my current website as a POST from the same domain is completely secure but I am not sure about from a different domain? Is there any way a hacker can intercept the POST data before it is encrypted?
Thanks
Kabeer
I didn't comprehend what you're describing in your question, but as for your title:
Is posting unencrypted passwords to an HTTPS server unsafe?
No, it is completely safe. Millions of websites do this every day via their login forms.
If you are receiving the POST data via HTTPS, then it is encrypted in transit and not easily intercepted. It is encrypted using a shared symmetric key between the client and the server, so that only they can decrypt each other's messages.
See How exactly HTTPS (ssl) works
I wouldn't say it is safe, but I would agree that it is fairly common to pass unencrypted user/pass and only depend on TLS/SSL...
TLS/SSL has been compromised a few times over the last couple of years, so depending entirely on it can involve risk.
I want to set up some basic web server protection to protect against replay attacks and data manipulation hacks.
At the moment, I make a REST request from the client (android) side such as:
http://www.example.com/add_book.php?user_name=eddy&nonce=534365756756&book_title=My%20First%20Book
Here, I am using a nonce that will be stored against the user's id and checked for duplicate requests. However, in this unencrypted system someone can simply insert their own (random) nonce. What I want do is convert the above request to something along the lines of:
http://www.example.com/add_book.php?fsjdfhdhsjfhdsjf538537854rj34i5348ur4rf4r3g4yrg4y32210dfsdjfsdhfjshru99jifjknjsdfnfjsfhuruwe
that can be unencrypted server side to the equivalent unencrypted URL so the parameters can be accessed with $_GET['book_title'] (like in the usual manner).
In the ideal world, the request itself could be encrypted with the user's hashed password as an easy way to certify the user is who they say they are.
I'm not really prepared to pay for an HTTPS certificate at this stage so that's not really an option.
Does anyone know how I can do this? My requests are plain text atm so are incredibly vulnerable.
Thanks.
Android encrypting URL parameters and values and decrypting server side
Don't encrypt URL parameters!
I want to set up some basic web server protection to protect against replay attacks and data manipulation hacks.
If you're trying to stop someone on the network from intercepting plaintext HTTP requests and manipulating them maliciously, HTTPS is the only solution you have.
If you're trying to stop a local user from doing the same, rethink the security model of your application.
I'm not really prepared to pay for an HTTPS certificate at this stage so that's not really an option.
You don't have to pay anything for HTTPS. It's free!
If you're using a hosting provider that makes it difficult to get HTTPS for free, set up a cheap VPS (LowEndBox, DigitalOcean droplets, etc.) and stop giving them your business. They'll adapt or die.
How safe is it to pass passwords / username in POST or GET requests to an external server?
I will use PHP / CURL and I have second toughts about security.
Alternatives will be considered aswell!
If you use HTTP without SSL encryption, everything is transmitted in the clear, which includes the full URL, the HTTP request/response headers, and the body of the POST request and response.
If you place a password in the GET parameters, it will additionally be displayed in the address bar and quite likely saved in browser history, proxy server logs, and sent to other websites in the referrer header. Sending the password in the POST body or in the standard Authorization header avoids this obvious problem, but it is still visible to an observer who can sniff or proxy your traffic.
Digest Authentication avoids transmitting the password in the clear, and only a non-reusable signature is exposed to the outside observer. It is still vulnerable to man-in-the-middle attacks; see HTTP Digest Authentication versus SSL.
The correct solution is to use an SSL certificate and exclusively use HTTPS. When you do so, the URL string, HTTP headers, and POST body are all encrypted, and the browser verifies that no third party is operating a server in the middle. HTTP Basic Authentication is permissible in this case.
By themselves, not necessarily. You shouldn't use GET for things aside from queries, in general because they can get stored on the user's browser. POST is relatively easy to encrypt using libraries, as you shouldn't implement your own encryption.
Also, if you get an SSL, that would help. If you use HTTPS (rather than HTTP), then it will be even more secure.
You didn't give many details as to what the page was (read: the language) so I can't really recommend a good encryption library, but just Google it and I'm sure you'll find something.
I'm PHP developer and I know very little when it comes to https/ssl, but I would like to offer my client safest possible way of uploading file to webpage (i.e. webftp as part of client service on page).
Which way should I look?
Thank you in advance, I will clarify my question if needed.
I'll probably disappoint you, but without HTTPS or some other form of encryption, all the data passing over the wire is plaintext - this also holds for FTP. (In other words, it's practically impossible to verify that the data which the server has received actually came from the client, and hasn't been modified.)
Valid (and widely accepted) HTTPS certificates are cheap and relatively simple to use, plus it's probably the optimal solution currently available in terms of safety*simplicity (switch URLs from HTTP to HTTPS, no other configuration required from end user). With a valid SSL certificate, the client could be reasonably sure that they're communicating with your site and that the data is encrypted while in transit.
In other words, there are safer (but more complicated) alternatives (such as encrypted VPN), and there are simpler (but less safe) alternatives (such as plain HTTP). HTTPS done right is about the right combination of safety and simplicity for a general-purpose website. (OTOH, if you're trying to protect top-secret NSA files, HTTPS is definitely not enough)
I'm sorry, the browsers themselves offer no alternative to either sending the file in plain text or sending it encrypted through HTTPS.
The only alternative would be to use some sort of client side plugin (e.g. a Java Applet) that would encrypt the file prior to sending it (as a bonus, you could compress the file before it was encrypted and sent). However, this solution hinders compatibility by requiring a plugin to be installed, is much more complex and ultimately rendered unnecessary by the existence of HTTP over SSL/TLS (HTTPS).