Hi All I just made a site using Drupal6.2 and in front page I have kept "user login" block. I hosted this site using some third party web server. I tried to login to new site from my PC using my user name and password and prior to that I was capturing the packets those were being send/received by my PC. By checking few packets content I could figure out the user name and password in plain text. So it looks others can see these packets and get the administrative user name and corresponding password and hence can modify site content and it is really dangerous. I assume people must have thought of it and there should be some way to make sure username and password should be encrypted by default hence avoidimg third party role in site content modification. Please guide in this regard and provide some pointers how can I make username/password secure while logging in sites based on Drupal. Regards Austin
You can: - Use SSL for login page. But I think the mixture of http/https session is solved better in D7 - Use another login mechanism, like send directly md5 hash to the server. This way your password is "safe" (don't correct me on this word ;-) ). However, any attacker can capture your packets and replay the login without any difficulty. -- Hai-Nam Nguyen (aka jcisio) http://jcisio.com On Sun, Jan 9, 2011 at 9:36 AM, Austin Einter <austin.einter@gmail.com> wrote:
Hi All I just made a site using Drupal6.2 and in front page I have kept "user login" block. I hosted this site using some third party web server.
I tried to login to new site from my PC using my user name and password and prior to that I was capturing the packets those were being send/received by my PC. By checking few packets content I could figure out the user name and password in plain text.
So it looks others can see these packets and get the administrative user name and corresponding password and hence can modify site content and it is really dangerous. I assume people must have thought of it and there should be some way to make sure username and password should be encrypted by default hence avoidimg third party role in site content modification.
Please guide in this regard and provide some pointers how can I make username/password secure while logging in sites based on Drupal.
Regards Austin
You can configure your site to use https on pages where you want to login; that way the auth information does not cross the net in clear form. It takes some planning to do correctly, though, especially if you don't want the whole site to be accessed over S-HTTP, for performance reasons. ----- Original Message ----- From: "Austin Einter" <austin.einter@gmail.com> To: <development@drupal.org>; <support@drupal.org> Sent: Sunday, January 09, 2011 9:36 AM Subject: [development] Security and Drupal Hi All I just made a site using Drupal6.2 and in front page I have kept "user login" block. I hosted this site using some third party web server. I tried to login to new site from my PC using my user name and password and prior to that I was capturing the packets those were being send/received by my PC. By checking few packets content I could figure out the user name and password in plain text. So it looks others can see these packets and get the administrative user name and corresponding password and hence can modify site content and it is really dangerous. I assume people must have thought of it and there should be some way to make sure username and password should be encrypted by default hence avoidimg third party role in site content modification. Please guide in this regard and provide some pointers how can I make username/password secure while logging in sites based on Drupal. Regards Austin
This is standard website stuff. If you want to make your passwords secure, use an SSL certificate. http://crackingdrupal.com/blog/greggles/drupal-and-ssl-multiple-recipes-poss... Googling will get you plenty more results. On 09/01/2011, at 8:23 PM, FGM wrote:
You can configure your site to use https on pages where you want to login; that way the auth information does not cross the net in clear form. It takes some planning to do correctly, though, especially if you don't want the whole site to be accessed over S-HTTP, for performance reasons.
----- Original Message ----- From: "Austin Einter" <austin.einter@gmail.com> To: <development@drupal.org>; <support@drupal.org> Sent: Sunday, January 09, 2011 9:36 AM Subject: [development] Security and Drupal
Hi All I just made a site using Drupal6.2 and in front page I have kept "user login" block. I hosted this site using some third party web server.
I tried to login to new site from my PC using my user name and password and prior to that I was capturing the packets those were being send/received by my PC. By checking few packets content I could figure out the user name and password in plain text.
So it looks others can see these packets and get the administrative user name and corresponding password and hence can modify site content and it is really dangerous. I assume people must have thought of it and there should be some way to make sure username and password should be encrypted by default hence avoidimg third party role in site content modification.
Please guide in this regard and provide some pointers how can I make username/password secure while logging in sites based on Drupal.
Regards Austin
You need to require SSL on every page that you want to control access to. If only the log-in page requires an SSL connection, an attacker does not need your user name and password. Drupal uses cookies for authentication. A cookie is sent with every page request, so observing any traffic at all enables an attacker to gain full control of your account. On Jan 9, 2011, at 4:23 AM, FGM wrote:
You can configure your site to use https on pages where you want to login; that way the auth information does not cross the net in clear form. It takes some planning to do correctly, though, especially if you don't want the whole site to be accessed over S-HTTP, for performance reasons.
On 9 Jan 2011 08h36 WET, austin.einter@gmail.com wrote:
[1 <text/plain; ISO-8859-1 (7bit)>] Hi All I just made a site using Drupal6.2 and in front page I have kept "user login" block. I hosted this site using some third party web server.
I tried to login to new site from my PC using my user name and password and prior to that I was capturing the packets those were being send/received by my PC. By checking few packets content I could figure out the user name and password in plain text.
So it looks others can see these packets and get the administrative user name and corresponding password and hence can modify site content and it is really dangerous. I assume people must have thought of it and there should be some way to make sure username and password should be encrypted by default hence avoidimg third party role in site content modification.
Please guide in this regard and provide some pointers how can I make username/password secure while logging in sites based on Drupal.
That's how it's supposed to be. HTTP is a plain text protocol. TLS/SSL works below that layer. There are several possible solutions, like other have referred: 1. Put all your site over TLS. 2. Put part of the site over TLS. This approach, although better in terms of not sending the password as plain text this approach does not provide benefits in the way the cookies are handled, since you cannot mark them as secure, meaning they can be sent over regular HTTP. 3. There's a very nice module http://drupal.org/project/safer_login that sends a salted double pass MD5 hash of your password. It uses a jQuery MD5 plugin. The issue is that it has problems with the usual password saving mechanism in browsers, since what appears in the password form field is the hash and not the password. If you can live with *always* entering your password, hence not relying in the convenient password remembering mechanism available in browsers, this is a very cheap and easy way of securing the login process. Remember that sending a simple hash, be it MD5 or even SHA1, is not a guarantee that it cannot be cracked. There are plentiful sites out there that offer rainbow tables for your convenience. The recent gizmodo snafu shows that a simple hash is as vulnerable as plain text. On a different note *always* mark the cookies HttpOnly. --- appa
Regards Austin [2 <text/html; ISO-8859-1 (quoted-printable)>]
On Sun, Jan 9, 2011 at 8:12 AM, António P. P. Almeida <appa@perusio.net> wrote:
3. There's a very nice module http://drupal.org/project/safer_login that sends a salted double pass MD5 hash of your password. It uses a jQuery MD5 plugin. The issue is that it has problems with the usual password saving mechanism in browsers, since what appears in the password form field is the hash and not the password. If you can live with *always* entering your password, hence not relying in the convenient password remembering mechanism available in browsers, this is a very cheap and easy way of securing the login process.
This secures the password, but not the session. The session token is still sent in the clear and can be sniffed and hijacked (see Firesheep). The safer_login module is mostly "security theater" designed to make people feel good but not actually increase security. I think OpenID where users can have a provider that uses https is a better solution if the only goal is to protect the user password but not necessarily the session. OpenID has the benefit of reducing the number of passwords that a user has to remember and can make it more cost effective to do multi-factor authentication (e.g. using a SecurID token). Regards, Greg -- Greg Knaddison | 720-310-5623 | http://growingventuresolutions.com Mastering Drupal | http://www.masteringdrupal.com
On 9 Jan 2011 17h25 WET, Greg@growingventuresolutions.com wrote:
On Sun, Jan 9, 2011 at 8:12 AM, António P. P. Almeida <appa@perusio.net> wrote:
3. There's a very nice module http://drupal.org/project/safer_login that sends a salted double pass MD5 hash of your password. It uses a jQuery MD5 plugin. The issue is that it has problems with the usual password saving mechanism in browsers, since what appears in the password form field is the hash and not the password. If you can live with *always* entering your password, hence not relying in the convenient password remembering mechanism available in browsers, this is a very cheap and easy way of securing the login process.
This secures the password, but not the session. The session token is still sent in the clear and can be sniffed and hijacked (see Firesheep).
Yes I know that.
The safer_login module is mostly "security theater" designed to make people feel good but not actually increase security.
Well it's a tiny bit better that sending the password in plain text. In fact there's no mechanism whatsoever to secure the session. For that you need full TLS and marking the cookies as secure.
I think OpenID where users can have a provider that uses https is a better solution if the only goal is to protect the user password but not necessarily the session. OpenID has the benefit of reducing the number of passwords that a user has to remember and can make it more cost effective to do multi-factor authentication (e.g. using a SecurID token).
Yes it's more convenient. Also there's no interference with the usual browser password remembering mechanism. Thank you for elaborating on that. Of course you're then relying in an external service for handling the authentication. If you really want to be safe, IMHO, the only option is using TLS and disable all insecure cipher suites and key exchange algorithms. If you're on chrome/chromium or using Firefox with Noscript you can set the STS header and force the access to always be HTTPS. But I digress... I also think that the price you pay in terms of computing power is very small if the server is correctly configured with an SSL session cache. --- appa
Hi, you could try Secure Login module. Disable the Secure Login setting that redirects https logins back to http. In apache, configure the https vhost to enable the PHP session.cookie_secure setting. Now all logins will be via https and the authenticated session cookie will only be sent from/to the https site (anonymous sessions on http will still be possible as long as you only enable session.cookie_secure on the https site). --mark B. On Jan 9, 2011 12:37 AM, "Austin Einter" <austin.einter@gmail.com> wrote:
Hi All I just made a site using Drupal6.2 and in front page I have kept "user login" block. I hosted this site using some third party web server.
I tried to login to new site from my PC using my user name and password and prior to that I was capturing the packets those were being send/received by my PC. By checking few packets content I could figure out the user name and password in plain text.
So it looks others can see these packets and get the administrative user name and corresponding password and hence can modify site content and it is really dangerous. I assume people must have thought of it and there should be some way to make sure username and password should be encrypted by default hence avoidimg third party role in site content modification.
Please guide in this regard and provide some pointers how can I make username/password secure while logging in sites based on Drupal.
Regards Austin
participants (8)
-
António P. P. Almeida -
Austin Einter -
Chris Skene -
Darren Oh -
FGM -
Greg Knaddison -
jcisio -
mfburdett@gmail.com