passwords that get sent in plain text?

[slinky2004]

apparently a lot of services that require a login still handle the username and password as plain text, making it relatively easy to get with a sniffer. i remember a nifty exhibit concerning this at defcon, it was called the "wall of sheep". anyway, i want to know:

1. what services still send passwords out in plain text? if i log in to any web interface that isnt using https or some encryption layer(message boards, web mail, etc.), is my info just being sent in plain text? what about a pop3 email account or a video game like world of warcraft or guild wars?

2. what can a i do about it? is there some kind of personal encryption layer that i could use? i'm not sure if that would work because the server would have to decrypt it on other side.

[HTRegz]

Hey Hey,

There will always be systems that use plain text that you have to use... The idea is to trust your local network (the odds of the data being sniffed as it crosses the Internet is much less likely) and trust the recipient and do your best (at least with the local network) to ensure it's secure..

As far as what's plain text... that's endless, some of the major ones are: HTTP, FTP, Telnet, POP3, SMTP, IRC... however there are options for most of these..

Instead of using HTTP, use HTTPS... if a site doesn't use it, question why or don't use the site... also ensure that the site isn't using it's own local encryption methods (then HTTPS may not be needed)

Instead of FTP use SFTP... most places these days will provide it as an alternative

Instead of telnet use SSH... there will seldom be times when telnet is actually needed, SSH should always be used instead...

Instead of POP3 use pop3s... if that isn't an option investigate a new mail provider..

Instead of SMTP use smtps... again same as above..

Instead of IRC use IRC over SSL or move to SILC..

However the number of plaintext protocols is practically endless... especially as people devise their own apps.... The idea is to control as much as you can and have a little faith....

For things like personal encryption you could encrypt your email (which you should do anyways as it crossing the wire in plain text can be as bad as your password crossing)..

Anyways you have to realize that plain-text protocols aren't what you should be afraid of... there are many things out there that are much worse...

Secure your local network and you've done everything you can... Everyone uses plain text and, so far, most of us have not had a problem with it..

Peace,
HT

[slinky2004]

i'm going off to college in the fall and i'll be using the college's network via my dorm. i dunno what kind of security they'll have, but to me it seems that it would be very easy for someone to sniff. if they mac spoof they would probably be pretty difficult to catch, so i dunno if disciplinary action(which is probably severe) will be much of a deterrent.

[SirDice]

Everything and everybody can be traced. Even those that "mac spoof". As long as you have access to the routers and switches you can trace someone up to the port s/he is connected. After that it's a matter of following the wire.

[slinky2004]

you mean the physical ethernet ports of the router, not tcp/ip ports, right? what if they use wifi?

[mohaughn]

Originally posted here by slinky2004
i'm going off to college in the fall and i'll be using the college's network via my dorm. i dunno what kind of security they'll have, but to me it seems that it would be very easy for someone to sniff. if they mac spoof they would probably be pretty difficult to catch, so i dunno if disciplinary action(which is probably severe) will be much of a deterrent.

On that type of network I would not conduct any sensitive business over a clear text connection.. By sensitive I mean, health and medical history, banking, etc...

However, all of those services will use atleast 128bit encryption.

Do you really stand to lose a lot if somebody gets into your google or hotmail account? Even those use https for the authentication. In order to assess the risk that you face you have to think about how much will it cost you if xyz data is intercepted. I would imagine for a college student as long as you make sure you cover yourself for identify theft, you don't have much else to worry about.

[SirDice]

Originally posted here by slinky2004
you mean the physical ethernet ports of the router, not tcp/ip ports, right?

Correct..

what if they use wifi?

Triangulation..

[xierox]

Originally posted here by slinky2004
i'm going off to college in the fall and i'll be using the college's network via my dorm. i dunno what kind of security they'll have, but to me it seems that it would be very easy for someone to sniff.

You can minimize this risk if you have the following:
- Broadband, always on connection at home (best if it has static IP, but possible if it's dynamic)
- Extra computer

Set up a SSL server at home that you can connect to. You can then route all your sensitive traffic (web browser, instant messenger programs, etc.) through that. Now, I've never personally done this, but I know it's more than possible.

- Xierox