Is it possible at all to secure an unencrypted website?

Discussion in 'ASP .Net Security' started by LenaMsdn08, Feb 7, 2009.

  1. LenaMsdn08

    LenaMsdn08 Guest

    We recently had this discussion at work - someone had suggested implementing
    single sign-on by passing a random 32-byte key in the query string and match
    it against a database that is used by both applications. Both sites are
    written in ASP.NET 1.1

    It was pointed out that passing this key in the query string was a huge
    security hole; anyone who intercepted the request on the Internet could then
    use the key to log in.

    On the other hand, wouldn't any unencrypted (using http, not https) website
    be vulnerable pretty much no matter what you do? For example, even if the
    session object is server-side, isn't the cookie that stores the session ID
    passed in the HTTP request, so just as well as intercepting the query string,
    couldn't someone intercept the cookie and hijack the session?

    (My apologies for the lack of correct terminology in this post.)
    LenaMsdn08, Feb 7, 2009
    1. Advertisements

  2. LenaMsdn08

    Joe Kaplan Guest

    Your analysis is correct. If you want it to be secure, you really need to
    consider SSL. Session cookies or cookies that supply authentication
    information are just as easily intercepted as query string parameters if the
    plaintext HTTP data can be sniffed.
    Joe Kaplan, Feb 7, 2009
    1. Advertisements

  3. LenaMsdn08

    LenaMsdn08 Guest


    Thank you for the information and for getting back to me so quickly - I'll
    have to do some more thinking about our site, apparently.

    More or less thinking out loud ...

    Noticed when I went in to check the newsgroup, that for example the MSDN
    login and subscriber download pages are secure, but the MSDN home page and
    many other pages without sensitive content are not, which makes sense (secure
    pages are slower).

    The top right of the page says "Welcome Lena" and "Sign Out" so MSDN must
    see me as logged in ... but I assume it's not actually passing any
    authentication information on these pages, where someone could intercept it
    and use to access the secure download page. I'm sure Microsoft wouldn't let
    anyone break in so easily and steal expensive software :)

    Comparing to something I noticed on another website I worked on a long time
    ago ... most of the site was unsecure but there were some secure pages, and
    the secure and unsecure parts used different ASP Session IDs. That would take
    care of keeping the unsecure pages from giving away authentication data for
    the secure pages, wouldn't it?

    I'm sure there is more to it than that, of course ... I'll work away on it
    and see what I can find.

    Thank you again for the information, it was helpful!
    LenaMsdn08, Feb 7, 2009
  4. LenaMsdn08

    Joe Kaplan Guest

    Amazon also is a good example of maintaining some notion of who you are but
    switching to secure mode for actual ordering operations and other similar

    Once way to do this is to ensure that your actual authentication cookies are
    set with the Secure flag so the browser will only return them on a secure
    channel. You could have a personalization cookie that cannot be used to
    access secure resources that still indicates who the user is.

    Essentially, this type of thing needs to be designed thoughtfully to be
    effective. Microsoft has some good guidance around developing threat models
    to help you understand what the threats are and how to mitigate them.

    And yes, if you use gmail without HTTPS, someone can steal your
    authentication information and possibly read your mail. I recommend you not
    do that. :)
    Joe Kaplan, Feb 7, 2009
  5. LenaMsdn08

    LenaMsdn08 Guest


    Thanks again for your insights - this gave me a lot of good ideas. I will
    look for more security info on Microsoft's website too :)
    LenaMsdn08, Feb 8, 2009
  6. Hi,

    In addition to what Joe said I'd like to provide some general
    documentations FYI.

    If you have additional questions please feel free to let me know.

    Allen Chen
    Microsoft Online Support

    Delighting our customers is our #1 priority. We welcome your comments and
    suggestions about how we can improve the support we provide to you. Please
    feel free to let my manager know what you think of the level of service
    provided. You can send feedback directly to my manager at:

    Get notification to my posts through email? Please refer to

    Note: MSDN Managed Newsgroup support offering is for non-urgent issues
    where an initial response from the community or a Microsoft Support
    Engineer within 2 business day is acceptable. Please note that each follow
    up response may take approximately 2 business days as the support
    professional working with you may need further investigation to reach the
    most efficient resolution. The offering is not appropriate for situations
    that require urgent, real-time or phone-based interactions. Issues of this
    nature are best handled working with a dedicated Microsoft Support Engineer
    by contacting Microsoft Customer Support Services (CSS) at
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Allen Chen [MSFT], Feb 9, 2009
  7. Hi Lena,

    Have you got the expected answer? If you have additional questions please
    feel free to ask. I'll do my best to folow up.

    Allen Chen
    Microsoft Online Support
    Allen Chen [MSFT], Feb 13, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.