May 22nd, 2008 04:35 PM
Quick HTTPS question
Quick question: I have this guy claiming that Chase's online banking is insecure, because it's an http page and not an https page (http://www.chase.com), and that "you can login on an unsecure page" (sic).
I could be totally wrong here, but that's not an issue, is it? I would think that as soon as you hit the Log On button, an SSL or TLS session is set up, and that session is used to send the username and password. The fact that the session is only set up when you hit Log On (and not before you even start filling out your username and password) is insignificant, no? In both cases, the username and password are sent over a (secure) SSL connection, so what's the problem?
May 22nd, 2008 04:51 PM
Check the source. There's a section in there named 'start login_module_shared'. Glancing through it, you can see that it's passing the login info to a https address.
<form style="display: inline; margin: 0; padding: 0;" name="logonform" id="logonform" align="center" autocomplete="off" action="https://chaseonline.chase.com/siteminderagent/forms/formpost.fcc" method="POST" onSubmit="return validateandsetcookie(document.logonform.usr_name, document.logonform.usr_password.value, document.logonform.remember.checked, '.chase.com','RBGLogon')">
May 22nd, 2008 07:54 PM
It's sending the information there...
That is true. Is it being encrypted before it's sent there? Doesn't the browser have to send the username and password to the server before any encryption is taking place, if it's being sent over port 80? The only way that the login information is being secured before it leaves the browser is if the encryption is taking place client-side. Are you suggesting this is happening? If not, the login information is traveling over port 80...
I wonder what a packet sniffer would find if it intercepted the web traffic going to the https url. Communication has to be initiated before any handshaking takes place, and the username and password are being sent, when you click the submit button, before an encrypted session is started, is it not? You are not actually in an encrypted session until you see the locks in the browser stating the certificate that is being used and there is https in the URL.
Unless I am mistaken, you are initiating the communication with the server over port 80 http. The communication request is for a new port 443 connection and the server responds by sending an https URL over port 443. Until the machines are both communicating over https on port 443, it is not encrypted traffic. That means the username and password is not encrypted during the first trip to the server. If anyone has some facts or links explaining how this is secure, I would love to see them.
Last edited by itPro; May 22nd, 2008 at 08:07 PM.
May 22nd, 2008 08:09 PM
the username and password are being sent, when you click the submit button, before an encrypted session is started, is it not?
You seem to suggest that the customer's username and password are being used to initiate the SSL connection (in the handshake), which is not the case. The encrypted session is set up first, then the customer username and password are sent (over the encrypted session).
May 22nd, 2008 08:28 PM
May 22nd, 2008 10:56 PM
As far as I know, as soon as you click the Log On button, an SSL session (with the https page) is initiated (through the "action" of the form). It can't send the information via port 80 to the https page (and it doesn't), because the https page only accepts SSL connections. Almost all online payment services (including PayPal) use that method (post to https), so from that fact alone, I'm going to conclude that it's got to be pretty secure (and, thus, that there's no sensitive data being sent over an insecure connection).
May 22nd, 2008 11:05 PM
I believe this page spells it out completely: http://www.michaelhorowitz.com/securesubmit.html
Check the "Bad News" section (the rest is pretty interesting, too, but that section clearly explains why the post https method is secure).
May 23rd, 2008 12:21 AM
Thank you. I was still uncertain about whether or not the information was being encrypted, but I read the article that you linked to. That was very informative. I feel a bit better about using Chase now. What finally satisfied my doubt was the fact that I set FireFox to alert me whenever I was sending unencrypted data. When logging in, I didn't get the warning.
It also clicked when you said that the browser doesn't attempt to connect over port 80. I'm still curious as to how exactly the procedure takes place. I'm going to assume (yet again) that the browser finds the server, asks the server what port and protocol to use, and then begins the process of starting the data transfer. The login is being sent, but it is being encrypted first.
Nevertheless, I will still not just assume that a webpage is offering an encrypted login just because there is a .gif or a .jpeg of a lock on the page. That is a practice that should still be avoided, and it would be wise not to just assume that things are safe. While I was wrong about the login information being sent in clear text, I was right to be wary. (I'm so glad that someone with some expertise finally cleared up my worries on this one...)
Anyway, thanks again.
May 23rd, 2008 12:36 AM
If it makes you feel any better: I had no clue about the things in the "Interesting Part" part of the article (I just noticed, btw, that the article specifically mentions Chase).
May 23rd, 2008 02:15 PM
Without having read the article, would I be correct in guessing that the method used is :
1) When user hits submit, send a 'blank' request for the https page
2) Fill in the blanks on the https page on client-side
3) Submit the https page with the login details back through the secure port
By DerekK in forum Network Security Discussions
Last Post: September 10th, 2004, 10:35 PM
By NetSec in forum *nix Security Discussions
Last Post: September 25th, 2002, 01:02 AM
By roswell1329 in forum *nix Security Discussions
Last Post: September 13th, 2002, 10:18 PM
By Obliterate in forum Newbie Security Questions
Last Post: August 26th, 2002, 10:44 AM
By lewzer in forum Newbie Security Questions
Last Post: August 7th, 2002, 03:07 PM