WebApp Sec mailing list archives
RE: Growing Bad Practice with Login Forms
From: "Yvan Boily" <yboily () seccuris com>
Date: Tue, 27 Jul 2004 11:24:54 -0500
This is not a reliable suggestion; the secure icon for an HTTPS connection indicates only that the CURRENTLY viewed page uses SSL, not that any other pages use it. Most users disable the warning box that notifies them that they are moving between encrypted and unencrypted sites, so the observation that the site is encrypted *at this point* is not a valid means for being trustworthy. This is crucially important in the case Furthermore, I think it is important to clarify something on the symantic level. As security professionals we need to stop using marketing and user-friendly terms for what we know not to be true. The browser icon indicating that SSL is in use is a recognition of the fact that the data being exchanged is encrypted, not that it is secure. Many people on this list are aware of the difference, however using the two interchangeably when discussing the security of protocols such as HTTP and HTTPS is misleading for people with less experience. We cannot always educate users about the nature of information security, but we should do our best to prevent confusion among those trying to learn.
From a secure programming perspective, there are a number of means to
mitigate phishing attacks which attempt to modify the use of forms transmitted via HTTPS: 1. Use SSL to ensure the authenticity of a web page + sufficiently savvy users can inspect the certificate to ensure that the site is who it claims to be + using SSL 2 or TLS provides the benefits of public key encryption (authentication, integrity, privacy, non-repudiation) - only protects contents of web page in transit * proper application of input validation and output transformation mitigates attacks at the client end - all components of the web page must be loaded via SSL or the security benefit is lost * loading images, advertisements, etc via HTTP can leak cookies and can reveal SIDs etc 2. Input validation + ensures that all data complies with what is expected + provides first line of defense against injection attacks (XSS, SQL) - can interfere with functionality and useability if validation techniques are too paranoid * I don't see this as a negative. - depending on validation mechanisms they can be fairly time consuming * buy a better webserver. 3. Output filtering + ensures that all user entered data is translated from raw data to HTML entities, radically increasing the difficulty of XSS attacks - can place a huge load on webserver depending on the volume of user entered data being translated and mechanisms used to translate between the two These are just broad overviews of the techniques that can be used (and are used in applications which I have designed and implemented). There are a huge number of other concerns, such as rotating session identifiers when switching between encrypted and unencrypted connections, preventing session fixation attacks, and other session hijacking prevention techniques. There also seems to be a general concern over how HTTPS encapsulates an HTTP transaction. The HTTPS protocol establishes the connection using the following (basic description) steps: 1. Client sends SSL request 2. Server responds with certificate and its public key 3. If the certifcate and key match *OR* the client blindly accepts the public key the client will generate and encrypt a symmetric key for communications using the servers public key and transmit it back to the server. 4. The server decrypts the key and uses the key to encrypt data exchanged for the HTTP session. 5. Once the server has the encryption key the server accepts an HTTP request that is encrypted and provides the HTTP response in an encrypted format. If a web page is actually using SSL the server will not receive information prior to establishment of the encrypted channel for the HTTP exchange. I have taken the liberty of including a basic SSL transaction using CURL and plaintext packet dumps (my tool of choice for this is ipex) to illustrate this.
curl -v -k https://localhost:443
* About to connect() to localhost:443 * Failed connect to localhost: 61 * Connected to localhost (127.0.0.1) port 443 * SSL connection using DHE-RSA-AES256-SHA * Server certificate: * subject: /C=XY/ST=Snake Desert/L=Snake Town/O=Snake Oil, Ltd/OU=Webserver Team/CN=www.snakeoil.dom/emailAddress=www () snakeoil dom * start date: 1999-10-21 18:21:51 GMT * expire date: 2001-10-20 18:21:51 GMT * common name: www.snakeoil.dom (does not match 'localhost') * issuer: /C=XY/ST=Snake Desert/L=Snake Town/O=Snake Oil, Ltd/OU=Certificate Authority/CN=Snake Oil CA/emailAddress=ca () snakeoil dom
GET / HTTP/1.1
User-Agent: curl/7.10.5 (i386-portbld-freebsd4.8) libcurl/7.10.5 OpenSSL/0.9.7a ipv6 zlib/1.1.4 Host: localhost Pragma: no-cache Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* < HTTP/1.1 200 OK < Date: Tue, 27 Jul 2004 16:05:31 GMT < Server: Apache/1.3.28 (Unix) mod_ssl/2.8.15 OpenSSL/0.9.7a < Last-Modified: Thu, 17 Oct 2002 17:20:40 GMT < ETag: "83820e-5a-3daef168" < Accept-Ranges: bytes < Content-Length: 90 < Content-Type: text/html < X-Pad: avoid browser bug <html> <body> <title> xxxxx.seccuris.com </title> This is not a website. </body> </html> * Connection #0 left intact * Closing connection #0 DEBUG: 0 2004-07-27 16:05:31.634338 localhost:2694 > localhost:https tcp S S:1488879916 A:0 W:57344 (DF) _______________________________________________________________________ ----------------------------------------------------------------------- 2004-07-27 16:05:31.634416 localhost:https > localhost:2694 tcp AS S:1763529723 A:1488879917 W:57344 (DF) _______________________________________________________________________ ----------------------------------------------------------------------- 2004-07-27 16:05:31.634508 localhost:2694 > localhost:https tcp A S:1488879917 A:1763529724 W:57344 (DF) _______________________________________________________________________ ----------------------------------------------------------------------- 2004-07-27 16:05:31.635812 cfw01.seccuris.com:4202 > cfw01.seccuris.com:domain udp (DF) 0x0100| 447b 0100 0001 0000 0000 0000 0130 0130 |D{...........0.0 0x0110| 0130 0130 0769 6e2d 6164 6472 0461 7270 |.0.0.in-addr.arp 0x0120| 6100 000c 0001 |a..... 2004-07-27 16:05:31.644243 cfw01.seccuris.com:domain > cfw01.seccuris.com:4202 udp (DF) 0x0100| 447b 8583 0001 0000 0000 0000 0130 0130 |D{...........0.0 0x0110| 0130 0130 0769 6e2d 6164 6472 0461 7270 |.0.0.in-addr.arp 0x0120| 6100 000c 0001 |a..... 2004-07-27 16:05:31.645568 cfw01.seccuris.com:4203 > cfw01.seccuris.com:domain udp (DF) 0x0100| 447c 0100 0001 0000 0000 0000 0233 3701 |D|...........37. 0x0110| 3003 3131 3203 3230 3407 696e 2d61 6464 |0.112.204.in-add 0x0120| 7204 6172 7061 0000 0c00 01 |r.arpa..... 2004-07-27 16:05:31.663713 localhost:2694 > localhost:https tcp AP S:1488879917 A:1763529724 W:57344 (DF) _______________________________________________________________________ i 9 8 5 3 2 / f c b a @ e d ` o PI./ 8 GU Xc 5% n sN ----------------------------------------------------------------------- 2004-07-27 16:05:31.721146 localhost:https > localhost:2694 tcp AP S:1763529724 A:1488880065 W:57344 (DF) _______________________________________________________________________ J F A }K w - l _ b Y g5 C H U @ -V _ * & ; 9 D @ = :0 60 0 * H 0 1 0 U X Y1 0 U Snake Desert1 0 U Snake Town1 0 U Snake Oil, Ltd 1 0 U Certificate Authority1 0 U Snake Oil CA1 0 * H ca@snakeoil.dom0 991021182151Z 011020182151Z0 1 0 U XY1 0 U Snake Desert1 0 U Snake Town1 0 U Snake Oil, Ltd1 0 U Webserver Team1 0 U www.snakeoil.dom1 0 * H www@sna keoil.dom0 0 * H 0 h Q t X o c 4cr s i z k m b Xrgq [ \ W \ 6=^+ b k +f 8f]H ' ? [; / "e e <`Ab n0l0 U 0 www@snakeoil.dom0: ` H B - +mod_ssl generated custom server certificate0 ` H B @0 * H z1 5 G 9 Av J e c !z + [ )EZ| t UW i c [ HB Z `v . ! &h F u N G_Z H L8 =I[ ,| y Q ^* d Jy p Y # 0H / < H n >7 yNS' a \`D =v ^ < N Q6 &.V 8 # PP k x5r' W}< : J 4WJj ^ dV 3 G g R : > ? y_ u41 H q pjy O ;._ u TX ? A? 1 [/ 4 g I6 L + ;ac otS/ *D @6 A'Y l1 b 1ZM -= 3 P [ @ ) 3 /E @ ^ xp] ----------------------------------------------------------------------- 2004-07-27 16:05:31.811135 localhost:2694 > localhost:https tcp AP S:1488880065 A:1763531055 W:57344 (DF) _______________________________________________________________________ \ p s k & M J UP Qy q ! 5 YvP w 3 K f Q$ & = Y @ _ e`8 :7 u w f ]: R $ U Z j) 0 "9w i= 2i { " H Q i P w ` ----------------------------------------------------------------------- 2004-07-27 16:05:31.813527 cfw01.seccuris.com:domain > cfw01.seccuris.com:4203 udp (DF) 0x0100| 447c 8180 0001 0001 0000 0000 0233 3701 |D|...........37. 0x0110| 3003 3131 3203 3230 3407 696e 2d61 6464 |0.112.204.in-add 0x0120| 7204 6172 7061 0000 0c00 01c0 0c00 0c00 |r.arpa.......... 0x0130| 0100 0099 a800 1405 6366 7730 3108 7365 |........cfw01.se 0x0140| 6363 7572 6973 0363 6f6d 00 |ccuris.com. 2004-07-27 16:05:31.862537 localhost:https > localhost:2694 tcp AP S:1763531055 A:1488880263 W:57344 (DF) _______________________________________________________________________ 0D 9 |v FN J 4 @ r% ' ( ; ]d i [ ----------------------------------------------------------------------- 2004-07-27 16:05:31.871066 localhost:2694 > localhost:https tcp AP S:1488880263 A:1763531114 W:57344 (DF) _______________________________________________________________________ 0 X h - M n(f n g\ ?nk b k & XY P# > ] 1 "g= *) ) P R u W - f t +# k # 32 : `< _ j ;m ( ( l A ,xp z ]&t1I Ty c t t y * %[ j 7 .fJ l1\ [ + 4r ~ # X 7f y} R Dz K 50#s V < ----------------------------------------------------------------------- 2004-07-27 16:05:31.874256 localhost:https > localhost:2694 tcp AP S:1763531114 A:1488880545 W:57344 (DF) _______________________________________________________________________ X 0 |f n t L h u &h^ x 4 D ? F u p @ X ~ h5[}) A r ' @} ; `E ? -*: fj $Q x g }b( _ # ` ,[R( = x l >+F S . ) q B s K4 o J p6k5 y ,G Di Z A Bx D ; G0 F k c~Gn? \w 0 $/ gj9wny tZ a X [ F P zg 4 )Kg / = ne0 12 gh, "5 r X 7 K p "OP A o F t r EF }/ ( z ----------------------------------------------------------------------- 2004-07-27 16:05:31.891474 localhost:2694 > localhost:https tcp AP S:1488880545 A:1763531519 W:57344 (DF) _______________________________________________________________________ a | D+U ~v ~ k ----------------------------------------------------------------------- 2004-07-27 16:05:31.891926 localhost:https > localhost:2694 tcp AP S:1763531519 A:1488880582 W:57344 (DF) _______________________________________________________________________ U ? { u' "X ([ 9b u 1 ----------------------------------------------------------------------- 2004-07-27 16:05:31.892638 localhost:https > localhost:2694 tcp AF S:1763531556 A:1488880582 W:57344 (DF) _______________________________________________________________________ ----------------------------------------------------------------------- 2004-07-27 16:05:31.892711 localhost:2694 > localhost:https tcp A S:1488880582 A:1763531557 W:57307 (DF) _______________________________________________________________________ ----------------------------------------------------------------------- 2004 Yvan Boily -----Original Message----- From: Thomas Schreiber [mailto:ts () securenet de] Sent: Tuesday, July 27, 2004 9:57 AM To: webappsec () securityfocus com; Mark Curphey Subject: RE: Growing Bad Practice with Login Forms I see a problem at the semantic level: People should be educated to look at the unfakeable Browser Icon - and not at some promise inside the webpage - to convince themselves that the connection is secure *before* they send sensitive data. What if the button promises 'Secure Login' but after sending they realized it wasn't - it's to late, the password may already have been sniffed by some colleague on the same wire. If people learn at websites they trust, that the browser icon *always* indicates a secure connection before they send sensitive data, then they will automatically behave correctly if they encounter a website where this is not the case: they get suspicious and think twice about clicking the send button or not. So I second: bad practice. Beste Gru?e Thomas Schreiber ____________________________________________________________ SecureNet GmbH - http://www.securenet.de +49 89/32133-610 mailto:ts () securenet de > -----Original Message----- > From: Mark Curphey [mailto:mark () curphey com] > Sent: Tuesday, July 27, 2004 3:56 PM > To: > Subject: Growing Bad Practice with Login Forms > > > I am seeing more and more sites implementing a bad practice with login > forms. > > To pick on a high profile site that should know better take ISACA as an > example. > > http://www.isaca.org/ > > In the top left hand corner you will see their secure login button and a > graphical padlock embedded into the HTML. Of course if you look > at the form > tags, this does indeed submit the form over SSL and in the > process the SSL > handshake checks the certificate and my browser should verify that I am > indeed sending my password to isaca.org. > > But at that point its too late. The check for server > authentication is done > after I have sent by username and password. This IMHO is a bad > practice that > has started to creep into other sites including online banking. > > I have added the issue to the OWASP Pen Test CheckList.
Current thread:
- Re: successful anonymous login, (continued)
- Re: successful anonymous login Adam Tuliper (Jul 27)
- RE: successful anonymous login Jose Rivera (Jul 27)
- RE: successful anonymous login dave kleiman (Jul 27)
- RE: successful anonymous login Yaakov Yehudi (Jul 28)
- RE: successful anonymous login V. Poddubnyy (Jul 27)
- Re: Growing Bad Practice with Login Forms Merlijn Tishauser (Jul 27)
- RE: Growing Bad Practice with Login Forms Mark Curphey (Jul 27)
- RE: Growing Bad Practice with Login Forms Yvan Boily (Jul 27)
- Re: Growing Bad Practice with Login Forms Toro, Daniel (Jul 27)
- Re: Growing Bad Practice with Login Forms Jason Coombs PivX Solutions (Jul 27)
- Re: Growing Bad Practice with Login Forms Stephen de Vries (Jul 28)
- Re: Growing Bad Practice with Login Forms Jason Coombs PivX Solutions (Jul 29)
- Re: Growing Bad Practice with Login Forms David Wall @ Yozons, Inc. (Jul 29)
- Re: Growing Bad Practice with Login Forms Ivan Krstic (Jul 28)
- RE: Growing Bad Practice with Login Forms Konstantin Ryabitsev (Jul 27)
- Re: Growing Bad Practice with Login Forms Darragh O'Brien (Jul 27)