1

Exactly how un-secure is this scenario, please note that I can't use SSL due to restrictions in the website application (yeah go figure!):

  • We have a domain that is only known to the users who need to know
  • The user will be inputing user name + password details into this site

How easy is it for someone to intercept the logging-in users credentials? Given that the url would not be known?

Like I say we would use SSL but the app does not work well under an SSL connection.

Mantorok
  • 143
  • 4

2 Answers2

1

In addition to what's already been said about traffic interception when not encrypted, perhaps your biggest problem is security through obscurity.

You're trusting your users not to talk.

You're giving a "secret" domain name to people who will be using it in public? Are you users really going to be concerned about security? I know people who don't even guard their ATM PIN. And what about users that are fired or quit? Or talk to you on the phone for support about some issue and just blah blah blah in public your secret URL?

And if you have this domain on the Internet, it's going to be in a database and searched by spiders for search engines. Something's bound to show up somehow.

In short if you have users out there and you're relying on them not to talk about it, you are going to have a problem.

Of course that's in addition to shoulder surfing, man in the middle interception, etc...

Short answer: it's highly highly insecure.

Bart Silverstrim
  • 31,092
  • 9
  • 65
  • 87
0

How easy is it for someone to intercept the logging-in users credentials? Given that the url would not be known?

It would be trivial to intercept the login credentials if you are not encrypting traffic. An attacker would not need to know the URL -- that would be a non-issue. A customer at Star Bucks, using open wifi, would transmit everything unencrypted, including username, password and your "unknown" URL, etc, for anyone with a sniffer to see. The same thing applies for users on a non-switched, wired network. With a wired switched network an attacker could use a mirrored port or similar.

Fix your app to work with SSL.

jscott
  • 24,204
  • 8
  • 77
  • 99
  • Thanks, I think I understand the risks now. Can't change the app unfortunatley as it's Immediacy CMS and doesn't work under SSL - crazy I know! – Mantorok Aug 26 '10 at 10:43
  • Depending on the technical skills or the willingness to acquire such skills at the end user side, you could consider using some form of VPN to access the unsecure application. As such you can limit exposure (no need to expose the app to the big world outside...) – Vincent De Baere Aug 26 '10 at 11:19
  • @Mantorok: It seems Immediacy is now known as Alterian CMS. If I were you [a customer of Alterian] I would be all over their support if they claim they cannot support HTTPS. A claim like that makes their product sound amateur, at best. – jscott Aug 26 '10 at 12:23
  • Alterian is a seperate product to Immediacy (which was brought by Alterian) and apparently has never claimed to be SSL compliant, which I've only just found out! – Mantorok Aug 26 '10 at 12:26