Login without HTTPS, how to secure?

by

HTTPS is absolutely vital in maintaining a secure connection between a website and a browser. Public wifi networks put users at risk, and when used correctly, HTTPS is the only tool that can protect user accounts from this vulnerability.

If your host doesn’t support HTTPS then a service like Cloudflare Universal SSL can be used to ensure all browsers connect to your site using HTTPS, even if your server doesn’t support SSL/TLS. The connection between Cloudflare and your website will still be unprotected, but this Cloudflare service is intended to protect users against threats found on public wifi networks. From the perspective of a penetration tester, not providing HTTPS is highly suspect, if you aren’t providing a basic security requirement as delivering traffic, then what other security requirements are you missing? HTTPS certificates can be obtained for free using Let’s Encrypt or Start SSL, there is no legitimate reason not to support HTTPS.

HTTPS is vital because it does lot more than just “encrypt passwords”. Another important role is that it should prevent the user from giving logging into a malicious server that is impersonating a real server. Using a system to protect the password alone is still a violation of OWASP A9 – Insufficient Transport Layer Protection because you would still be transmitting session credentials in plain text which is all the attacker needs (Firesheep).

  1. JavaScript-based cryptography cannot be used to construct a secure transport layer.

  2. “Tokenize logins”: If an attacker is sniffing
    the traffic, they’ll have the plain text username/password and then
    they can just login with these new credentials. (Replay attack)

  3. “Somehow encrypt the transmitted password”: After the person has logged in
    an attacker can sniff the traffic to get the valid session id
    (cookie) and then just use this instead of logging in. If the
    entire session was protected with SSL/TLS then this is not a problem.

There are other more complex attacks that affect both this system and our current SSL infrastructure. The SSLStrip attack goes into greater detail. I highly recommend watching Moxie Marlinspike’s Blackhat 2009 talk, which lead to the HTTP-Strict-Transport-Security standard.

More Related Contents:

  1. How do you Encrypt and Decrypt a PHP String?
  2. Simplest two-way encryption using PHP
  3. How to encrypt/decrypt data in php?
  4. Two-way encryption: I need to store passwords that can be retrieved
  5. PHP AES encrypt / decrypt
  6. Many hash iterations: append salt every time?
  7. MCrypt rijndael-128 to OpenSSL aes-128-ecb conversion
  8. Detecting Ajax in PHP and making sure request was from my own website
  9. Is it secure to store a password in a session? [duplicate]
  10. What encryption algorithm is best for encrypting cookies?
  11. How do I post multiple parameters to a URL
  12. Can anyone help me what is wrong in this code ajax using with php? [closed]
  13. Why would one omit the close tag?
  14. Reference: What is a perfect code sample using the MySQL extension? [closed]
  15. Exploitable PHP functions
  16. Send JavaScript variable to PHP variable [duplicate]
  17. Redraw google chart based on user input via AJAX request
  18. Preventing Directory Traversal in PHP but allowing paths
  19. What is the best way to stop people hacking the PHP-based highscore table of a Flash game
  20. How to best store user information and user login and password
  21. Resize iframe height according to content height in it
  22. Is it possible to hide/encode/encrypt php source code and let others have the system?
  23. Ajax File Download using Jquery, PHP
  24. Is it ever ok to store password in plain text in a php variable or php constant?
  25. Do AJAX requests retain PHP Session info?
  26. Insert data through ajax into mysql database
  27. Call PHP function from jQuery?
  28. show progressbar while loading pages using jquery ajax in single page website
  29. AESCrypt decryption between iOS and PHP
  30. How to call a php function from ajax?

Leave a Comment