[development] Security and Drupal

António P. P. Almeida appa at perusio.net
Sun Jan 9 15:12:52 UTC 2011

On 9 Jan 2011 08h36 WET, austin.einter at gmail.com wrote:

> [1 <text/plain; ISO-8859-1 (7bit)>] Hi All I just made a site using
> Drupal6.2 and in front page I have kept "user login" block. I hosted
> this site using some third party web server.
> I tried to login to new site from my PC using my user name and
> password and prior to that I was capturing the packets those were
> being send/received by my PC.  By checking few packets content I
> could figure out the user name and password in plain text.
> So it looks others can see these packets and get the administrative
> user name and corresponding password and hence can modify site
> content and it is really dangerous.  I assume people must have
> thought of it and there should be some way to make sure username and
> password should be encrypted by default hence avoidimg third party
> role in site content modification.
> Please guide in this regard and provide some pointers how can I make
> username/password secure while logging in sites based on Drupal.

That's how it's supposed to be. HTTP is a plain text protocol. TLS/SSL
works below that layer.

There are several possible solutions, like other have referred:

1. Put all your site over TLS.

2. Put part of the site over TLS. This approach, although better in
   terms of not sending the password as plain text this approach does
   not provide benefits in the way the cookies are handled, since you
   cannot mark them as secure, meaning they can be sent over regular

3. There's a very nice module http://drupal.org/project/safer_login
   that sends a salted double pass MD5 hash of your password. It uses
   a jQuery MD5 plugin. The issue is that it has problems with the
   usual password saving mechanism in browsers, since what appears in
   the password form field is the hash and not the password. If you
   can live with *always* entering your password, hence not relying in
   the convenient password remembering mechanism available in
   browsers, this is a very cheap and easy way of securing the login

Remember that sending a simple hash, be it MD5 or even SHA1, is not a
guarantee that it cannot be cracked. There are plentiful sites out
there that offer rainbow tables for your convenience. The recent
gizmodo snafu shows that a simple hash is as vulnerable as plain text. 

On a different note *always* mark the cookies HttpOnly.

--- appa

> Regards
> Austin
> [2  <text/html; ISO-8859-1 (quoted-printable)>]

More information about the development mailing list