0

I notice many websites implementing HTTPS for changes in account information even though the user has already logged in through HTTPS and tracked by SESSION.

Is this really necessary?

Question Overflow
  • 5,220
  • 6
  • 27
  • 48

3 Answers3

4

In fact, any site that uses a combination of HTTP and HTTPS will be vulnerable to man-in-the-middle attacks, and most will also be vulnerable to Firesheep-like attacks that capture the session cookie by eavesdropping on the HTTP connection.

It is not enough to use HTTPS for just the login and changes in account information. Sites need to use HTTPS for everything, if they want to be secure against man-in-the-middle attacks (e.g., if they want to be secure for users who are connecting over open Wifi).

See the following questions on this site: What are the pros and cons of site wide SSL (https)?, When are HTTP session cookies at risk over Wi-Fi?, and What sites are still vulnerable to FireSheep?.

D.W.
  • 98,420
  • 30
  • 267
  • 572
  • 1
    Just want to clarify something. Firesheep is not a MitM tool, it's simply a session hijack tool. Using site wide SSL protects against session hijacking, but dosen't protect against a MitM attack. SSLstrip and other tools work just fine. Remember, its all about layers. – Chris Frazier Apr 24 '12 at 16:18
  • Very informative. I learn a lot from your post. Thanks. – Question Overflow Apr 25 '12 at 07:50
1

Yes, it is necessary. If you are sending data through HTTP, your data will be in plain text and can be read. By sending the data through HTTPS, you ensure that the data channel will be encrypted.

Oleksi
  • 4,809
  • 2
  • 19
  • 26
  • If there is a man-in-the-middle, wouldn't the log in already failed even before the user reaching the password change page? – Question Overflow Apr 24 '12 at 03:58
  • 1
    @BenHuh - The entire point of Man in the middle is to fool the user nothing is wrong, so it would not fail, as the man in the middle would pass on the information to the original desination and send the responde to their target. – Ramhound Apr 24 '12 at 13:20
0

In fact all communication should be done over HTTPS channel. Using HTTPS only for authentication is bad idea. After authentication session id is created which may be used to impersonate logged on user.

Why do you expect that in case of man-in-the-middle attack the log in would fail? It would fail only if user noticed incorrect certificate, but it is not important in this case. If password change does not require HTTPS, attacker doesn't need to mount man-in-the-middle attack. It is sufficient for him to just listen to the communication. He will not be able to see user name and password during authentication, but he will see new password when user changes it. Username will be probably displayed somewhere on the pages, so attacker will get both username and password just by listening. There is no need for active attacks like man-in-the-middle.

Some additional information about HTTPS can be found in Transport Layer Protection Cheat Sheet

pgolen
  • 529
  • 2
  • 5