8

Consider a scenario, where user authentication (username and password) is entered by the user in the page's form element, which is then submitted. The POST data is sent via HTTPS to a new page (where the php code will check for the credentials). Now if a hacker sits in the network, and say has access to all the traffic, is the Application layer security (HTTPS) enough in this case ? I mean, would there be adequate URL encryption or is there a need to have Transport Layer security ?

Hari
  • 5,057
  • 9
  • 41
  • 51

4 Answers4

13

Yes, everything (including the URL) is going through the encrypted channel. The only thing that the villain would find out is the IP address of the server you are connecting to, and that you are using HTTPS.

Well, if he was monitoring your DNS requests as well, he might also know the domain name of the IP address. But just that, the path, query parameters, and everything else is encrypted.

Vilx-
  • 104,512
  • 87
  • 279
  • 422
  • Well that pretty much answers my question. But is there any way (as a web designer) to enforce users to use only HTTPS while accessing my site? – Hari Mar 15 '11 at 10:01
  • Have every page on the HTTP site redirect to the same URL but with the https protocol. – Quentin Mar 15 '11 at 10:05
  • That makes sense. Also, I wanted to ask if the HTTPS does some sort of URL string encryption, since POST data pretty much appends the information to the URL. (to prevent say like someone from overlooking at your URL and getting your information). – Hari Mar 15 '11 at 10:08
  • That is in the hands of the person who sets up the webserver. If you control only the website itself (as in - only the php/C#/java/whatever code), then there is little you can do. I suppose you can detect if the request came over non-HTTPS and then display a 403 or something, but that's the most. You cannot enforce HTTPS through code. Especially because you will need the correct certificates for the site anyway. – Vilx- Mar 15 '11 at 10:09
  • 1
    You can enforce https in the webserver's settings, or in .htaccess - without rewriting every link in your page to use https. Also: post data does not get sent in the url, get data is. – Maerlyn Mar 15 '11 at 10:09
  • Also, as I said - **the URL is already encrypted**. All the GET, POST, COOKIE and other headers are encrypted. – Vilx- Mar 15 '11 at 10:10
  • He meant shoulder surfing, not MITMing the url. – Maerlyn Mar 15 '11 at 12:38
3

Yes. In an HTTPS only the handshake is done unencrypted, but even the HTTP GET/POST query's are done encrypted.

It is however impossible to hide to what server you are connecting, since he can see your packets he can see the IP address to where your packets go. If you want to hide this too you can use a proxy (though the hacker would know that you are sending to a proxy, but not where your packets go afterwards).

orlp
  • 112,504
  • 36
  • 218
  • 315
0

HTTPS is sufficient "if" the client is secure. Otherwise someone can install a custom certificate and play man-in-the-middle.

As a web developer not much can be done other than disallowing HTTP requests. This can be done via mod_rewrite in Apache.

Shamit Verma
  • 3,839
  • 23
  • 22
  • Correct me if I am wrong. The HTTPS certificate is the entity for end to end authentication right ? I am assuming that the intruder has access only to the traffic on the Network. I guess for modifying the certificate, you need to hack into the source computer first. – Hari Mar 15 '11 at 10:57
  • Yes, it has to be issued/signed by a trusted entity (E.g. VeriSign). If someone has access to client, a new Entity can be installed that will verify man-in-the-middle cert to be correct. – Shamit Verma Mar 15 '11 at 10:59
-1

Is adequate, because if it have access to all your traffic, doesn't matter what encryption protocol do you use, he can use man in the middle for both encryption protocols.

Sacx
  • 6,276
  • 4
  • 22
  • 29
  • How would he MITM an HTTPS connection? – Tim Mar 15 '11 at 09:57
  • He'd have to crack the asymmetric encryption. – tdammers Mar 15 '11 at 09:58
  • HTTPS is designed to prevent man in the middle. It's pretty difficult to do anything sensible there (though there has been at least one possible attack demonstrated, with limited usability). – Vilx- Mar 15 '11 at 09:59
  • That's a serious restriction on "can" :) – Tim Mar 15 '11 at 09:59
  • Wouldnt there be some sort of an endpoint authentication in HTTPS that would defeat MITM ? – Hari Mar 15 '11 at 10:04
  • As I said, if have access to all traffic, MITM is possible on HTTPS. For dummies: http://www.youtube.com/watch?v=6gdAwi-b038 – Sacx Mar 15 '11 at 10:07
  • Wtf? I don't see a MITM attack in the video. All the browsers clearly complained that the certificate is invalid (or rather, that it hasn't been signed by a trusted authority). If the user still clicks OK, it's his own fault. A MITM attack would be invisible to the user. – Vilx- Mar 15 '11 at 11:55
  • @Vilx- it's NOT "the user's own fault". You shouldn't be expecting your end users to provide their own security and to know what an SSL certificate warning means. It's your fault as a developer and sysadmin for A) allowing your site's cert to be compromised and B) not taking measures to prevent information disclosure in the case of that compromise. – ashgromnies Feb 06 '14 at 20:32
  • @ashgromnies - we're talking about a MITM attack here. Both the user and the webmaster cannot do ANYTHING to prevent that. However the HTTPS protocol allows to **detect** this attack (normally on client side only) and the certificate warning **is** the alert in this case. Seriously, what else do you suggest? – Vilx- Feb 07 '14 at 10:31