1

Forgive me for a potentially obvious question--and I know the safe answer is "Always use https!"--but I'm trying to get a grasp on how necessary it is to use https for anyone accessing the backend on CMSes like Drupal, WP, etc. I was wondering if anyone can clarify a few things.

  1. My understanding of man-in-the-middle attacks is that they are relatively uncommon over networks with basic security measures (such as home networks, password-locked Wi-fi networks, office networks). Basically, there are no easy access points between, for instance, my home and my ISP, where someone can setup a system to intercept traffic.

  2. Of course, open wi-fi networks provide an easy entry point to intercept traffic, but even large password-protected networks such as hotel internet connections, etc., provide another easy access point to intercept the traffic of anyone else accessing the internet through the same network.

Assuming these two things are correct, I would make the following deductions:

  1. It would seem to me that logging into a CMS via http under any sort of administrative account is generally safe (though perhaps not a best practice) from home and from the office, as long as there is no open wi-fi and, of course, no malicious users using systems within said home or office.

  2. This would also mean that if you are logging in to a CMS in such a capacity over a hotel connection, in-flight connection, or anything of the sort, you should always use https. I'm pretty sure this is obvious, but just asking to clarify, as security is not my specialty.

Can anyone tell me if I am basically on the right track here, or if any of my understandings or assumptions are flawed in any way? Basically, what I'm trying to determine is whether it is pretty necessary to always have CMS-based websites setup using https, or whether plain old http is, generally speaking, safe enough for sites on which administrators log in only from networks where all users are trusted.

RoraΖ
  • 12,317
  • 4
  • 51
  • 83
rrr45
  • 13
  • 2

1 Answers1

1

It's always good to have encryption over a CMS-based website. I would recommend to always use HTTPS because you never know who is intercepting traffic and what their intentions could be. For instance, if someone was intercepting your traffic and performing MITM attacks; they could respectively grab your login if they decided to and could pretty much try this login with other accounts of your own etc etc.

Although all users can become trusted as you are implying in your question, I would still use encryption. Anything can happen. I don't know if you have heard of an HTTPS exploit called 'BREACH'. This is a security exploit upon HTTPS that uses HTTP compression. More about it here: https://en.wikipedia.org/wiki/BREACH_(security_exploit)

You're definitely on the right track, I don't see flaw within your knowledge and you're definitely asking the right questions to build your base.

Xanmashi
  • 370
  • 1
  • 8
  • Thanks for the help. Is it generally true that MITM attacks are rare or very, very difficult against someone accessing the internet from something like a wired home or office connection? It seems to me that the only way to perform a MITM attack on such a user (again--assuming all internal users are trusted) would be to physically break the ISP's cable somewhere along the line and run all traffic through the attacker's system at that physical point. – rrr45 Oct 05 '15 at 16:48
  • Usually, yes. I have a pentesting operating system named 'Kali Linux' that I use often. I rarely perform MITM attacks from this system because it's time consuming and it's precision. Unless I was desperate, I would not use this method. Usually it's not necessary to intercept that traffic physically unless you wanted easy-access to the backend of the desired target. I would use Metasploit if I was to do it without physically diverting the traffic towards me (If I was the attacker). – Xanmashi Oct 05 '15 at 16:54
  • Ok thanks at ton. That lets me know whether I'm on the right track in my thinking. – rrr45 Oct 05 '15 at 16:59
  • No worries. Good luck on your building of knowledge. Would you mind up-voting the answer or ticking it if I have answered your question. Take care. – Xanmashi Oct 05 '15 at 17:01
  • No problem. Take care now – Xanmashi Oct 05 '15 at 17:09