Menu
Okay, this is probably quite basic, but the implications are important to me in this phase of development. I am thankful for any input and discussion.
The data in this example are not protected using SSL encryption.
page1.php/asp contains a form which POSTs the variables username and password to page2.php/asp.
If the above question renders TRUE:
I ponder these issues, I appreciate any input and feedback.
752
Data Breaches A data breach is an incident that exposes confidential or protected information. A data breach might involve the loss or theft of your Social Security number, bank account or credit card numbers, personal health information, passwords or email.
Just like any thief, a hacker will choose the most vulnerable targets they can find. But instead of using lock picks to steal from your home or business, they use software to steal your personal data. Hackers will often try to glean information such as credit card numbers or bank account information.
Compromised downloads An individual might download programs or data from compromised websites infected by viruses like worms or malware. This gives criminals unauthorized access to their devices, allowing them to steal data.
When the user submits the login form through unencrypted HTTP, their data gets sent to your server by traveling through a series of routes. At any one of these routes, yes, someone could sniff the data. Also if the user's machine was infected, the hacker could sniff the data locally.
If it's a login form you should be using SSL, period. Also make sure the user's password is encrypted in your database. The process for logging in should be:
That way, if your database is ever hacked, the passwords are very VERY difficult to figure out (unless they used something basic like 'password', but that's their fault at that point).
Does it make sense to encourage the user NOT to use his or her normal (assumed safer) password, since it won't be protected?
You'll be driving users away.
119
Can ANYONE from ANYWHERE intercept my POST data just by listening for it, perhaps with some third party software like Firesheep?
No, the traffic has to pass near them.
If the above question renders TRUE:
It doesn't, but even so.
Should I always consider my unencrypted POST data freely available for anyone?
Unless it only travels across a LAN, then yes. If it does only travel across a LAN then add the qualifier "on that LAN" and the answer will be yes.
Are the standard login form on my site just a ploy to depict a layer of security that's not even there?
No
Should I then consider the login feature just as a way for me to personalize the user experience?
Certainly you shouldn't do anything serious without encryption.
Does it make sense to encourage the user NOT to use his or her normal (assumed safer) password, since it won't be protected during their registration and login procedures?
It would make sense to do so for any system. Even if the communication was secure, your server could be compromised in the future, or a third party system could be and then the data there used to attack your system.
36
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
