"sniffing"

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

"sniffing"

Post by s.dot »

How worried should I be about what I read as "network sniffing" to gather passwords that are POSTed in plain text?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

I'd think that'd swing off of how dangerous the sniffed password could be.. but generally, you should be fairly paranoid.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

so i guess i need to read that challenge/response topic :P
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Re: "sniffing"

Post by Roja »

scrotaye wrote:How worried should I be about what I read as "network sniffing" to gather passwords that are POSTed in plain text?
Lets list common situations in which sniffing can occur with minimal effort:

- Using the internet over wireless (Starbucks, Airport, Colleges, etc)
- Using the internet at work
- Using the internet from a cable modem or DSL (depending on their setup)

All three can (and often are) a shared network configuration, making sniffing trivially easy. Then there are all the configurations that with minor effort can allow an attacker to do the same, making it a really large scope.

When you tie all of that together with the *huge* number of botnets that are active today, and the number of people that use the same password across multiple websites (including their bank!!!), and its a recipe for disaster.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

If you have a testlab where you can sniff your own data (don't try this on a public network because it's probably illegal) you could simply install something like tcpdump/windump and filter http-post messages that include password and username.. You'd be surprised how easy it is ;)
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

Nothing like opening a dumped file with a few hours worth of network traffic...;) It's not only possible, but ludicrously easy once you see it done. SSL is the obvious solution but C/R can offer a non-SSL weak alternative in certain cases. Just bear in mind it's not an SSL replacement for anything.
Post Reply