Is it possible at all to secure an unencrypted website?

Discussion in 'ASP .Net Security' started by LenaMsdn08, Feb 7, 2009.

  1. LenaMsdn08

    LenaMsdn08 Guest

    We recently had this discussion at work - someone had suggested implementing
    single sign-on by passing a random 32-byte key in the query string and match
    it against a database that is used by both applications. Both sites are
    written in ASP.NET 1.1

    It was pointed out that passing this key in the query string was a huge
    security hole; anyone who intercepted the request on the Internet could then
    use the key to log in.

    On the other hand, wouldn't any unencrypted (using http, not https) website
    be vulnerable pretty much no matter what you do? For example, even if the
    session object is server-side, isn't the cookie that stores the session ID
    passed in the HTTP request, so just as well as intercepting the query string,
    couldn't someone intercept the cookie and hijack the session?

    (My apologies for the lack of correct terminology in this post.)
    LenaMsdn08, Feb 7, 2009
    #1
    1. Advertising

  2. LenaMsdn08

    Joe Kaplan Guest

    Your analysis is correct. If you want it to be secure, you really need to
    consider SSL. Session cookies or cookies that supply authentication
    information are just as easily intercepted as query string parameters if the
    plaintext HTTP data can be sniffed.


    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    "LenaMsdn08" <> wrote in message
    news:...
    > We recently had this discussion at work - someone had suggested
    > implementing
    > single sign-on by passing a random 32-byte key in the query string and
    > match
    > it against a database that is used by both applications. Both sites are
    > written in ASP.NET 1.1
    >
    > It was pointed out that passing this key in the query string was a huge
    > security hole; anyone who intercepted the request on the Internet could
    > then
    > use the key to log in.
    >
    > On the other hand, wouldn't any unencrypted (using http, not https)
    > website
    > be vulnerable pretty much no matter what you do? For example, even if the
    > session object is server-side, isn't the cookie that stores the session ID
    > passed in the HTTP request, so just as well as intercepting the query
    > string,
    > couldn't someone intercept the cookie and hijack the session?
    >
    > (My apologies for the lack of correct terminology in this post.)
    Joe Kaplan, Feb 7, 2009
    #2
    1. Advertising

  3. LenaMsdn08

    LenaMsdn08 Guest

    Joe,

    Thank you for the information and for getting back to me so quickly - I'll
    have to do some more thinking about our site, apparently.

    More or less thinking out loud ...

    Noticed when I went in to check the newsgroup, that for example the MSDN
    login and subscriber download pages are secure, but the MSDN home page and
    many other pages without sensitive content are not, which makes sense (secure
    pages are slower).

    The top right of the page says "Welcome Lena" and "Sign Out" so MSDN must
    see me as logged in ... but I assume it's not actually passing any
    authentication information on these pages, where someone could intercept it
    and use to access the secure download page. I'm sure Microsoft wouldn't let
    anyone break in so easily and steal expensive software :)

    Comparing to something I noticed on another website I worked on a long time
    ago ... most of the site was unsecure but there were some secure pages, and
    the secure and unsecure parts used different ASP Session IDs. That would take
    care of keeping the unsecure pages from giving away authentication data for
    the secure pages, wouldn't it?

    I'm sure there is more to it than that, of course ... I'll work away on it
    and see what I can find.

    Thank you again for the information, it was helpful!



    "Joe Kaplan" wrote:

    > Your analysis is correct. If you want it to be secure, you really need to
    > consider SSL. Session cookies or cookies that supply authentication
    > information are just as easily intercepted as query string parameters if the
    > plaintext HTTP data can be sniffed.
    >
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services Programming"
    > http://www.directoryprogramming.net
    > "LenaMsdn08" <> wrote in message
    > news:...
    > > We recently had this discussion at work - someone had suggested
    > > implementing
    > > single sign-on by passing a random 32-byte key in the query string and
    > > match
    > > it against a database that is used by both applications. Both sites are
    > > written in ASP.NET 1.1
    > >
    > > It was pointed out that passing this key in the query string was a huge
    > > security hole; anyone who intercepted the request on the Internet could
    > > then
    > > use the key to log in.
    > >
    > > On the other hand, wouldn't any unencrypted (using http, not https)
    > > website
    > > be vulnerable pretty much no matter what you do? For example, even if the
    > > session object is server-side, isn't the cookie that stores the session ID
    > > passed in the HTTP request, so just as well as intercepting the query
    > > string,
    > > couldn't someone intercept the cookie and hijack the session?
    > >
    > > (My apologies for the lack of correct terminology in this post.)

    >
    >
    LenaMsdn08, Feb 7, 2009
    #3
  4. LenaMsdn08

    Joe Kaplan Guest

    Amazon also is a good example of maintaining some notion of who you are but
    switching to secure mode for actual ordering operations and other similar
    stuff.

    Once way to do this is to ensure that your actual authentication cookies are
    set with the Secure flag so the browser will only return them on a secure
    channel. You could have a personalization cookie that cannot be used to
    access secure resources that still indicates who the user is.

    Essentially, this type of thing needs to be designed thoughtfully to be
    effective. Microsoft has some good guidance around developing threat models
    to help you understand what the threats are and how to mitigate them.

    And yes, if you use gmail without HTTPS, someone can steal your
    authentication information and possibly read your mail. I recommend you not
    do that. :)

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    "LenaMsdn08" <> wrote in message
    news:...
    > Joe,
    >
    > Thank you for the information and for getting back to me so quickly - I'll
    > have to do some more thinking about our site, apparently.
    >
    > More or less thinking out loud ...
    >
    > Noticed when I went in to check the newsgroup, that for example the MSDN
    > login and subscriber download pages are secure, but the MSDN home page and
    > many other pages without sensitive content are not, which makes sense
    > (secure
    > pages are slower).
    >
    > The top right of the page says "Welcome Lena" and "Sign Out" so MSDN must
    > see me as logged in ... but I assume it's not actually passing any
    > authentication information on these pages, where someone could intercept
    > it
    > and use to access the secure download page. I'm sure Microsoft wouldn't
    > let
    > anyone break in so easily and steal expensive software :)
    >
    > Comparing to something I noticed on another website I worked on a long
    > time
    > ago ... most of the site was unsecure but there were some secure pages,
    > and
    > the secure and unsecure parts used different ASP Session IDs. That would
    > take
    > care of keeping the unsecure pages from giving away authentication data
    > for
    > the secure pages, wouldn't it?
    >
    > I'm sure there is more to it than that, of course ... I'll work away on it
    > and see what I can find.
    >
    > Thank you again for the information, it was helpful!
    >
    >
    >
    > "Joe Kaplan" wrote:
    >
    >> Your analysis is correct. If you want it to be secure, you really need
    >> to
    >> consider SSL. Session cookies or cookies that supply authentication
    >> information are just as easily intercepted as query string parameters if
    >> the
    >> plaintext HTTP data can be sniffed.
    >>
    >>
    >> --
    >> Joe Kaplan-MS MVP Directory Services Programming
    >> Co-author of "The .NET Developer's Guide to Directory Services
    >> Programming"
    >> http://www.directoryprogramming.net
    >> "LenaMsdn08" <> wrote in message
    >> news:...
    >> > We recently had this discussion at work - someone had suggested
    >> > implementing
    >> > single sign-on by passing a random 32-byte key in the query string and
    >> > match
    >> > it against a database that is used by both applications. Both sites are
    >> > written in ASP.NET 1.1
    >> >
    >> > It was pointed out that passing this key in the query string was a huge
    >> > security hole; anyone who intercepted the request on the Internet could
    >> > then
    >> > use the key to log in.
    >> >
    >> > On the other hand, wouldn't any unencrypted (using http, not https)
    >> > website
    >> > be vulnerable pretty much no matter what you do? For example, even if
    >> > the
    >> > session object is server-side, isn't the cookie that stores the session
    >> > ID
    >> > passed in the HTTP request, so just as well as intercepting the query
    >> > string,
    >> > couldn't someone intercept the cookie and hijack the session?
    >> >
    >> > (My apologies for the lack of correct terminology in this post.)

    >>
    >>
    Joe Kaplan, Feb 7, 2009
    #4
  5. LenaMsdn08

    LenaMsdn08 Guest

    Joe,

    Thanks again for your insights - this gave me a lot of good ideas. I will
    look for more security info on Microsoft's website too :)

    "Joe Kaplan" wrote:

    > Amazon also is a good example of maintaining some notion of who you are but
    > switching to secure mode for actual ordering operations and other similar
    > stuff.
    >
    > Once way to do this is to ensure that your actual authentication cookies are
    > set with the Secure flag so the browser will only return them on a secure
    > channel. You could have a personalization cookie that cannot be used to
    > access secure resources that still indicates who the user is.
    >
    > Essentially, this type of thing needs to be designed thoughtfully to be
    > effective. Microsoft has some good guidance around developing threat models
    > to help you understand what the threats are and how to mitigate them.
    >
    > And yes, if you use gmail without HTTPS, someone can steal your
    > authentication information and possibly read your mail. I recommend you not
    > do that. :)
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services Programming"
    > http://www.directoryprogramming.net
    > "LenaMsdn08" <> wrote in message
    > news:...
    > > Joe,
    > >
    > > Thank you for the information and for getting back to me so quickly - I'll
    > > have to do some more thinking about our site, apparently.
    > >
    > > More or less thinking out loud ...
    > >
    > > Noticed when I went in to check the newsgroup, that for example the MSDN
    > > login and subscriber download pages are secure, but the MSDN home page and
    > > many other pages without sensitive content are not, which makes sense
    > > (secure
    > > pages are slower).
    > >
    > > The top right of the page says "Welcome Lena" and "Sign Out" so MSDN must
    > > see me as logged in ... but I assume it's not actually passing any
    > > authentication information on these pages, where someone could intercept
    > > it
    > > and use to access the secure download page. I'm sure Microsoft wouldn't
    > > let
    > > anyone break in so easily and steal expensive software :)
    > >
    > > Comparing to something I noticed on another website I worked on a long
    > > time
    > > ago ... most of the site was unsecure but there were some secure pages,
    > > and
    > > the secure and unsecure parts used different ASP Session IDs. That would
    > > take
    > > care of keeping the unsecure pages from giving away authentication data
    > > for
    > > the secure pages, wouldn't it?
    > >
    > > I'm sure there is more to it than that, of course ... I'll work away on it
    > > and see what I can find.
    > >
    > > Thank you again for the information, it was helpful!
    > >
    > >
    > >
    > > "Joe Kaplan" wrote:
    > >
    > >> Your analysis is correct. If you want it to be secure, you really need
    > >> to
    > >> consider SSL. Session cookies or cookies that supply authentication
    > >> information are just as easily intercepted as query string parameters if
    > >> the
    > >> plaintext HTTP data can be sniffed.
    > >>
    > >>
    > >> --
    > >> Joe Kaplan-MS MVP Directory Services Programming
    > >> Co-author of "The .NET Developer's Guide to Directory Services
    > >> Programming"
    > >> http://www.directoryprogramming.net
    > >> "LenaMsdn08" <> wrote in message
    > >> news:...
    > >> > We recently had this discussion at work - someone had suggested
    > >> > implementing
    > >> > single sign-on by passing a random 32-byte key in the query string and
    > >> > match
    > >> > it against a database that is used by both applications. Both sites are
    > >> > written in ASP.NET 1.1
    > >> >
    > >> > It was pointed out that passing this key in the query string was a huge
    > >> > security hole; anyone who intercepted the request on the Internet could
    > >> > then
    > >> > use the key to log in.
    > >> >
    > >> > On the other hand, wouldn't any unencrypted (using http, not https)
    > >> > website
    > >> > be vulnerable pretty much no matter what you do? For example, even if
    > >> > the
    > >> > session object is server-side, isn't the cookie that stores the session
    > >> > ID
    > >> > passed in the HTTP request, so just as well as intercepting the query
    > >> > string,
    > >> > couldn't someone intercept the cookie and hijack the session?
    > >> >
    > >> > (My apologies for the lack of correct terminology in this post.)
    > >>
    > >>

    >
    >
    LenaMsdn08, Feb 8, 2009
    #5
  6. Hi,

    In addition to what Joe said I'd like to provide some general
    documentations FYI.

    http://msdn.microsoft.com/en-us/library/aa302426.aspx
    http://www.devx.com/security/Article/20898

    If you have additional questions please feel free to let me know.

    Regards,
    Allen Chen
    Microsoft Online Support

    Delighting our customers is our #1 priority. We welcome your comments and
    suggestions about how we can improve the support we provide to you. Please
    feel free to let my manager know what you think of the level of service
    provided. You can send feedback directly to my manager at:
    .

    ==================================================
    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

    Note: MSDN Managed Newsgroup support offering is for non-urgent issues
    where an initial response from the community or a Microsoft Support
    Engineer within 2 business day is acceptable. Please note that each follow
    up response may take approximately 2 business days as the support
    professional working with you may need further investigation to reach the
    most efficient resolution. The offering is not appropriate for situations
    that require urgent, real-time or phone-based interactions. Issues of this
    nature are best handled working with a dedicated Microsoft Support Engineer
    by contacting Microsoft Customer Support Services (CSS) at
    http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx
    ==================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Allen Chen [MSFT], Feb 9, 2009
    #6
  7. Hi Lena,

    Have you got the expected answer? If you have additional questions please
    feel free to ask. I'll do my best to folow up.

    Regards,
    Allen Chen
    Microsoft Online Support
    Allen Chen [MSFT], Feb 13, 2009
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. A.M
    Replies:
    5
    Views:
    5,419
    Teemu Keiski
    Jun 8, 2004
  2. Daniel Malcolm
    Replies:
    0
    Views:
    545
    Daniel Malcolm
    Jan 24, 2005
  3. mtanner
    Replies:
    2
    Views:
    501
    Joerg Jooss
    Nov 10, 2005
  4. Mufasa
    Replies:
    0
    Views:
    806
    Mufasa
    Jun 10, 2007
  5. LenaMsdn08

    Is it possible at all to secure an unencrypted website?

    LenaMsdn08, Feb 7, 2009, in forum: ASP .Net Security
    Replies:
    0
    Views:
    677
    LenaMsdn08
    Feb 7, 2009
Loading...

Share This Page