20

I know that http requests can be sniffed, so sniffer can see the requested URL from the victim. So 2 days ago I my bank made me a web-account to see, send money etc...

The thing I saw is my session id is always on my URL.. I copy/pasted it on another browser and I successfully logged in from it without entering username/password(on the new browser).

So my question is whether https:// (get) links sniffable over the wire (e.g., with ettercap)? Should I be worried?

B-Con
  • 1,832
  • 12
  • 19

4 Answers4

25

HTTPS uses TLS, which is Transport Layer Security. HTTP as a protocol, runs above the transport layer. This means that all of the communication made by HTTPS, including the URL is protected.

Passing the session id in the URL is insecure for other reasons. For example it exposes the possibility of Session Fixation. The Session ID written to paper if a user prints a webpage. It also defeats the use of HTTPOnly cookies... This is just a bad idea and its likely that this bank has made other poor choices in regards to security.

rook
  • 46,916
  • 10
  • 92
  • 181
  • 4
    is right, but I think understates this. The bank's implementation is fundamentally flawed. I would switch banks. – MCW Feb 15 '13 at 18:26
  • 3
    To elaborate on session fixation, an attacker Eve can get the bank to issue her a fresh session ID while not logged in. If she then convinces you to follow a link with this session ID, and you then log in, Eve *already knows* the session ID for your authenticated session. There are mitigation measures, like resetting sessions on authentication. But as Rook stated, the fact that your bank is making a trivial security misstep like this virtually guarantees that it is making others as well. – Stephen Touset Feb 15 '13 at 18:43
  • Session in `GET` is also weak when it comes to shoulder browsing. It's like having your (expiring) password shown on your screen during all your browsing. – Xenos Jun 21 '18 at 15:31
3

No, the URL is not passed in plain text when making an HTTPS request but as Rook stated, there are other vulnerabilities in passing session id in the URL.
1. One of them is that your sessions ID will be listed as the referrer url. So if you click a link from your banks website to another website, the linked site will now log your session id. The same will happen with any images or scripts loaded.
2. On top of the problem with the linked site storing the information, if the link is to a non-https site, then that referrer url containing your session id will be sent in plain text allowing anyone sniffing the network to get the URL.

KlwntSingh
  • 103
  • 3
Eric
  • 451
  • 2
  • 4
  • [While navigating from a HTTPS to a non HTTPS site, the referrer header is never sent](http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html#sec15.1.3) – Extreme Coders Apr 03 '15 at 05:59
1

When using HTTPS the traffic will be encrypted. The only catch here is that if a malicious user had access to sniff your traffic he may also be able to abuse act as the destination server and setup an encrypted connection with you that looks as if it is your bank. The attacker will then create another session with the bank and forward all your requests to the bank and all responses back to you. This gives you the illusion that you are in fact communicating with your bank when you are not.

This is where certificates come in to play as they can be used to verify that the destination is who they say they are. In this case you bank.

There are also some ways to abuse certificates to make them look legitimate.

I would recommend you check out: http://www.thoughtcrime.org/software/sslsniff/

A great video around this topic can be be found here: https://www.youtube.com/watch?v=ibF36Yyeehw

atorrrr
  • 199
  • 3
0

I'm going to have to disagree with some of the answers here. In a strict sense no URLs cannot be purely sniffed as they are protected by SSL as rightly stated.

In the spirit of the "am I safe" sense of the question be aware that if they are in a position to sniff they commonly could conduct a MITM attack, gaining details even with sites you're typically using SSL for. (See sslstrip).

Point being always pay attention to your browser and don't take things for granted :)

Peleus
  • 3,827
  • 2
  • 18
  • 20