Encrypting login form

jchapa

Hello to all,

I just conducted a test with EtherReal to test my site for password hijacking vulnerabilities and found out that my users' passwords can be sniffed when entered into the login.htm form. I have a php script that hashes the password before passing it to MySQL. However, I would like for the password to be encrypted at the form level as well.

Any feedback is appreciated.

Chapa

Weedpacket

Obviously, that would have to be done on the client machine; a Javascript forum would therefore be a better place to seek advice on this. (I'm assuming you don't want to get an SSL certificate.)

Ceril

Your post is an interesting one...

I myself would also like to know more about "Sniffing"

So far as I know:
You can only sniff with a set of permissions on the network the information passes?

And if you can sniff, it does not matter if the data is encrypted since you'll receive and send keys that will be sniffed, and since this is sniffed it should not be so much work to realy decode it. Heard something along thoose lines concerning https and that it was a false sense of security for someone who knew how to work crypts?

jchapa

Originally posted by Ceril
Your post is an interesting one...

I myself would also like to know more about "Sniffing"

So far as I know:
You can only sniff with a set of permissions on the network the information passes?

And if you can sniff, it does not matter if the data is encrypted since you'll receive and send keys that will be sniffed, and since this is sniffed it should not be so much work to realy decode it. Heard something along thoose lines concerning https and that it was a false sense of security for someone who knew how to work crypts?

I own a collection of Hacking Exposed Series. One of the Editiions is on Web Applications. It discusses all the vulnerabilities and which security methods are the best and how hackers attempt to compromise the system. These books are written in an effort to provide knowledge for countering the hack attacks. I have applied some of their suggestions and hardened my network and servers. However, one must always be vigil.

ajbrown

What kind of website is this? This may be more work than it's worth. If we're on the same page here, The only way to sniff the data transmitted from the form is to be on the same collision domain as either the server or the client, or to gain remote accesss to any machine which handles the data.

In the case of being on the same collision domain as the client, you're only going to sniff the username/password of accounts that are accessed from computer on that collision domain. If you're sniffing from the server side, however, you could intercept the password of ANY user attempting to log in.

Even if you did javascript encryption, the encrypted string can be intercepted. Though this won't tell the sniffer what the actual password is, they can just use that string instead of the password and bypass your javascript encrypting.

Your only real solution is an SSL certificate.

laserlight

And if you can sniff, it does not matter if the data is encrypted since you'll receive and send keys that will be sniffed, and since this is sniffed it should not be so much work to realy decode it.

A public key cryptosystem would solve the key distribution problem.

jchapa

Well I went ahead and setup Apache with modSSL and it worked like a charm. I tested my encryption using EtherReal, I could sniff the traffic, but it was all encrypted. So users logging to the system where in a supposed secure environment and their passwords where not echoed in plain text via the login.htm form.

Thank you all for the feedback.

Chapa