Security Snake Oil: Encrypted Login Forms Don’t Ensure Confidentiality!
Monday, August 18th, 2008
As a web application security testing professional, you often encounter “snake oil” security implementations. A recent example would be the “Hacker Safe” ruse which has been exposed time and time again by the security community. Today, I come to you with another: Partially encrypted web applications aren’t protecting you!! Let me explain the situation. Most web applications have implemented SSL/TLS encryption for you to login without exposing your username and password to the guy in the black trench coat also using the wifi at the coffee shop. This kind of protective measure inspires the trust of the user in the application, but does very little to actually protect your identity, data, or in the event of social applications, your reputation.
At the heart of the problem is the way that the web server maintains a unique session for each visitor: by setting and tracking a unique value in the cookie. Once a visitor logs in, the unique web server session is bound to the authenticated user making the session identifier equivalent to the username and password. To further compound the issue, the contents of the cookie are automatically transmitted over the network with each request that the browser issues to the webserver.
Once an attacker has sniffed the contents of the web application’s cookie from the network, they have obtained the key component for impersonating the victim on the target site:
- Social Networks - an attacker can perform smear campaigns by posting items to the targeted profile for the victim’s contacts to see.
- WebMail - an attacker can create a mail filter to read the victim’s email. This attack has already resulted in a blogger being victim to domain hijacking.
- Administration Interfaces - an attacker can perform unauthorized changes to devices or services which utilize administrative interfaces to update settings.
- Financial Applications - an attacker could steal money or financial information on vulnerable web applications. (Applications which accept credit card payments are subject to PCI-DSS compliance and lack of encryption would no comply. Sites who only accept PayPal or other online payment processors are not subject to PCI-DSS).
Application users must learn to recognize when they’re being misinformed about risk and demand more security from the vendors. Application designers and vendors must implement encryption for the entire application. If the additional server resources are of concern, a hardware appliances for SSL/TLS can be installed so that the web server does not suffer from the overhead resource consumption.