No subject


Tue Jun 4 12:17:20 MDT 2013


how the session key is itself sent. But that is probably only one
scenario, and depending on browser capabilities, it might switch to
alternate formats less secure; even something less secure I *think*
should encode passwords, so long as y ou are on https, rather than http.

> 
> Is that a stupid question since every request is a one time request and it
> either goes through an ssl tunnel or it doesn't?

Knowing the pass or session key would make me nervous. Anyone savvy
enough to get your pass and session key can use it.

> 
> I was also trying to sniff the traffic on the webpage (I have to do a
> seminar for some customers showing them why they want security and I was
> hoping to be able to do a hands on demo that shows a username and password
> going across clear text via a webpage login).  When I sniff an apache login
> setup, I just see garbage going across (I'm not using ssl for that
> section).  How can I see that traffic?

I can't answer how to use it, except possibly to take the output and
feed it to a browser. This might work, but you still run into the same
problems you'd get if you cut off a web page part way through, or fail
to get its starting tags...a subsection might be valid, yet it would
fail to display from mismatched tags. You'd need to be sure to pick up
even the http header data.

What is probably being seen (I haven't sniffed a web browser before,
can't be sure) is url encoding. Consider that there are control
characters embedded in a stream of data, that might be intended for
tcp/ip instead of the browser. Then the browser, if it wants to use
those characters (and it does sometimes), will need to run an "escape
sequence" on those characters, so it comes up with a substitution
scheme. Other items are also altered, such as changing all spaces in
name/value pairs to a plus '+' sign, and taking all reserved characters,
then changing those to hexadecimal equivalents. The browser and the
server url encode when sending, and decode when receiving. It is
*possible* that feeding this directly to a browser will allow you to use
it as a decoder. Note that it isn't encryption to hide things, but it
does make it not so legible to human readers, while making it easier for
the machine to know what is intended. I believe there is also some
alternate 64 bit encoding as well, which might take things even further,
making human readabilty zero (but it would work with extended character
sets).

> 
> Hugh
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug



More information about the LUG mailing list