tags:

views:

152

answers:

7
+3  Q: 

password sent via post secure?

Possible Duplicate:
How secure is a HTTP POST?

Suppose I have a login page in php where a user is required to enter his name and password. form method is post in this case.

Now someone(my friend) told me that the information(username and password) that is entered and sent to the server can be hacked just by fetching the header of the resulting page generated. So you should encrypt the header and that is why HTTPS is used.

This didn't make sense to me because I thought the information (username and password) sent via post method are completely secure and just by header hacking one cannot have access to to the username and password.

Is my friend correct? If no is there any way to do such stuff for someone who has no access to the code? How can I send my private information via HTTPS (page to be coded in php)?

EDIT:

Data through get method is sent via header. Right? Is data through post also sent via header?

+3  A: 

Your password is not secure if you just send it with POST - still visible and unencrypted, albeit a tiny bit less obvious.

Sending an unencrypted password via POST is the most insecure, yet still relatively sane way of doing this. (yes, there are less secure ways, but those are completely insane - sending a password form through GET is about as secure as broadcasting it on TV or printing it in the newspaper).

This is what a typical GET request looks like:

GET http://somedomain.example.com/path/file?here=are&the=GET&parameters=.
X-Some-Header: header content
X-Another-Header: 1

Here's a similar POST request (note that you can send both GET and POST parameters in a POST request):

POST http://somedomain.example.com/path/file?here=are&the=GET&parameters=.
X-Some-Header: header content
X-Another-Header: 1
Content-Length: 40

with_POST&=the&content=is&here_in=the&request=body

As you can see, HTTP is a completely plaintext protocol - there is no encryption performed on the data, so anyone can view and/or modify it in transit. Access to the code is not necessary at all - just watch the traffic and your data will be there, for anyone to see (you can verify this with tools such as Wireshark which allows you to view network traffic).

To remove this need to trust the whole world, HTTPS (S is for Secure) was created, which provides encryption ("only the sender and receiver can read it") and authentication ("the server is indeed yourserver.example.com, and not evilserver.example.net").

HTTPS is a wrapper around HTTP: where with HTTP, the client connects to the webserver and starts the conversation, HTTPS first establishes a secure SSL tunnel, and the HTTP communication goes through that. Setting up a HTTPS server is a bit more complex than HTTP, see e.g. this article.

Piskvor  2010-07-28 14:36:38
Data through `get` mthod is sent via `header`. Right? Is data through `post` also sent via `header`?
Shekhar Gupta  2010-07-31 08:57:55
@user242265: No, and no. GET data is sent in the URL, and POST data is sent in the request body (not headers). Edited my answer with an example.
Piskvor  2010-08-02 07:20:50
+5  A: 

Without SSL, data sent through POST is equivalent to data sent through GET, or in other words, not encrypted at all.

Daniel Vandersluis  2010-07-28 14:37:08
Not quite equivalent. If sent through a GET it is still in cleartext even on an SSL connection.
JohnFx  2010-07-28 14:39:02
Sorry, I meant those two statements as two separate thoughts, I'll edit.
Daniel Vandersluis  2010-07-28 14:42:30
@JohnFx: Yup - sending data through GET is insane: it'll get stored in access logs and other places.
Piskvor  2010-07-28 14:43:16
@JohnFX: URLs in the GET header are encrypted, just like the rest of the data in HTTP over SSL/TLS ("HTTPS"). HTTP and TLS are separate layers. How do you figure that passwords transmitted via GET are not encrypted when sent over HTTPS?
bowenl2  2010-07-28 14:44:24
Piskvor  2010-07-28 14:48:38
@bowenl2: I stand corrected. After further research the URL is indeed encrypted when used with SSL, although as already mentioned, it still is not a good idea to send sensitive information in a get.
JohnFx  2010-07-28 15:23:55
+2  A: 

In case of a login form, I use javascript to hash the password before submitting the form. It will make it more difficult to get to it.

pritaeas  2010-07-28 14:38:43
Without some encryption, this is only minimally more secure than doing nothing at all.
JohnFx  2010-07-28 14:42:08
I agree with JohnFx. In this case, the *hash* of the password is now the "password". Someone can still capture the hash and re-send it again later, allowing them access.
Adam Paynter  2010-07-28 14:58:35
@Adam Paynter: Not if you use a nonce; but since this is all in plaintext, the attacker can easily just fake the initial server response and send hir own spoofed page which submits elsewhere.
Piskvor  2010-07-28 15:01:50
@Piskvor: True, I just assumed that a nonce wasn't involved, according to the answer.
Adam Paynter  2010-07-28 15:02:51
Also, if the attacker is quick enough (e.g. scripted), xe can grab and use your nonce before you do - that is not enough data to login, but enough for a DoS (as the nonce is already marked as "used" when you get around to using it).
Piskvor  2010-07-28 15:12:27
A: 

From Wikipedia

HTTP is unsecured and is subject to man-in-the-middle and eavesdropping attacks which can let attackers gain access to website accounts and sensitive information. HTTPS is designed to withstand such attacks and is considered secure against such attacks.

If you're concerned about someone intercepting your data, use HTTPS.

Andy Evans  2010-07-28 14:40:30
You can still launch man-in-the-middle attacks on SSL connections. For example if I gain access to the network of the host or the client then it becomes a trivial matter to perform an ARP poisoning attack thereby redirecting traffic through my computer and create a proxy. So if you access "https://gmail.com" for example my computer would then request that site and forward it to the target computer. If a user is smart and keeps an eye on the little lock that most browsers display now they would notice it is self signed, not signed by Google. Not many people notice mid session.
Peter Hanneman  2010-07-28 14:47:15
How would that work, your proxy can't pretend to be gmail.com as it doesn't have it's private key. This is pretty much entirely the case that SSL is supposed to prevent.
John Burton  2010-07-28 14:55:18
@Peter Hanneman: self-signed -> not in browser's CA list -> "invalid certificate" warning, not "just a lock icon"; OTOH@JB: 1. proxy serves up a fake HTTPS gmail login page 2. browser throws big scary warning about "invalid certificate" 3. user clicks "ok ok yes yes allow ok" without even reading the dialog, just to make the scary warning go away. 4. Profit!!!
Piskvor  2010-07-28 15:04:55
Yes exactly the proxy computer would create a fake self signed certificate. Newer browsers like Chrome will alert you that there is something funny going on but like Poskvor said most people don't pay attention and will just click yes and accept the self signed cert. Tech savy users might be safe but you can't protect against stupid. The prime time to launch an attack such as this is mid session after the user might have already logged on. Even if you don't catch the username/password which are usually hashed client side before being sent out anyways you can still hijack the session.
Peter Hanneman  2010-07-28 15:16:03
Most applications that use HTTPS to phone home such as an Adobe Flash or Air application generally aren't told to do anything special in the case of coming across a self signed cert and will accept it automatically which is just dumb since they don't even prompt the user of the potential problem. Only secure solution to browse the internet safely is to create a SSH connection to a physically secured computer and browse through that machine.
Peter Hanneman  2010-07-28 15:29:54
A: 

I believe the php script that submits the form, and the form itself needs to be in a directory on the webserver that is set up with SSL. You have to have an SSL certificate enabled for that website, as well.

Dylan West  2010-07-28 14:40:40
+1  A: 

I thought the information (username and password) sent via post method are completely secure

Wrong. Data sent via POST is practically as unsecure as sent via GET. The only (marginal) difference is that GET data is slightly more "accesible", via urls histories and perhaps logs. But if someone can sniff the link, he can spy very easily user and passwords sent via a http request, (POST or GET) unless SSL (https://) is used.

leonbloy  2010-07-28 14:42:35
Data through get mthod is sent via header. Right? Is data through post also sent via header?
Shekhar Gupta  2010-07-31 08:58:40
POST data is not sent in the http header. That make zero difference in what respects to security.
leonbloy  2010-07-31 19:30:50
A: 

you can read the submitted data with Wireshark - http://de.wikipedia.org/wiki/Wireshark if you sent the form data without https.

User123  2010-07-28 14:45:09

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases