So I\'ve been offered the chance to go to a day long security awareness event ho

Question

So I've been offered the chance to go to a day long security awareness event hosted by some organization. On their site, I noticed the login box in the corner, but the site was delivered on HTTP. They probably are doing like some other sites and only using https for the actual login. I thought. So I checked the source of the page, found the form being submitted for login, and noticed 'http://...'.

So I decide to do a test. Break out google's developer tools and capture the post. I still don't see any mention of https and I see my fake password in plain text (so they didn't encrypt with javascript before sending).

I'm wanting to bring this to my coworkers' attention, but first I want to be sure that they actually are sending it over http. Is there any other way to verify the connection is going over http (other than setting up a MITM attack on myself, which I'm pretty sure would cause the network admin to express great... displeasure towards me)?

Explanation / Answer

What you have done is a pretty thorough test, but you can get ironclad proof this way: Install Wireshark on your own computer, turn on packet capture, and perform the login. If HTTPS, the packets you capture will be marked as such, and will be encrypted. If not, you will be able to see the login credentials en claire in the captured data.

Do note that encrypting client-side with JavaScript does not work. It is vulnerable to replay attacks and MITM attacks because whatever client sends to server effectively is the password, no matter what has been done to it.

Related Questions

Navigate

• Browse (All)
• Browse S
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.