Tuesday, December 16, 2014

HTTP Login Pages are a Big No-No

You should NEVER enter your username and password into a website that runs under HTTP. Contact the owner of that website and request they add a simple SSL Certificate so that the website runs under HTTPS. Why? Because otherwise your password will be sent in plain-text across the internet from your computer, one router at a time, until it reaches that company's web server. Anywhere in between, your password could've been captured. Whomever captured your password can then turn around and login to that website, or even worse than that, try to use the same password to login to your email, your bank, or any other website of their choice.

Most common places of compromise would be if you're logging into a website at a wireless hotspot like a Coffee Shop, Hotel, or Airport. Why? Cause it's so simple and trivial to sniff shared unprotected wireless for plain text passwords. But it doesn't stop there, I would not trust entering in my password on HTTP even if it's from my home, hard-wired in, or from my work on our Intranet. It takes one malicious insider at your ISP or at your work or in your house, or wherever to sniff those packets and steal your information.

It's sad, but I did a simple search for "Support Login" on google, and found numerous websites that are still running HTTP logins. I was able to proof-of-concept that fact that on all those websites your password is transmitted plain text. Use this pastebin as an example of how HTTP login pages just don't cut it ...

http://pastebin.com/vKtNx2DN

Note: I did send an email to each one of these company's support emails on their website as a friendly reminder to upgrade to HTTPS.

Copyright © 2014, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment