On 9 Jan 2011 08h36 WET, austin.ein...@gmail.com wrote: > [1 <text/plain; ISO-8859-1 (7bit)>] Hi All I just made a site using > Drupal6.2 and in front page I have kept "user login" block. I hosted > this site using some third party web server. > > I tried to login to new site from my PC using my user name and > password and prior to that I was capturing the packets those were > being send/received by my PC. By checking few packets content I > could figure out the user name and password in plain text. > > So it looks others can see these packets and get the administrative > user name and corresponding password and hence can modify site > content and it is really dangerous. I assume people must have > thought of it and there should be some way to make sure username and > password should be encrypted by default hence avoidimg third party > role in site content modification. > > Please guide in this regard and provide some pointers how can I make > username/password secure while logging in sites based on Drupal.
That's how it's supposed to be. HTTP is a plain text protocol. TLS/SSL works below that layer. There are several possible solutions, like other have referred: 1. Put all your site over TLS. 2. Put part of the site over TLS. This approach, although better in terms of not sending the password as plain text this approach does not provide benefits in the way the cookies are handled, since you cannot mark them as secure, meaning they can be sent over regular HTTP. 3. There's a very nice module http://drupal.org/project/safer_login that sends a salted double pass MD5 hash of your password. It uses a jQuery MD5 plugin. The issue is that it has problems with the usual password saving mechanism in browsers, since what appears in the password form field is the hash and not the password. If you can live with *always* entering your password, hence not relying in the convenient password remembering mechanism available in browsers, this is a very cheap and easy way of securing the login process. Remember that sending a simple hash, be it MD5 or even SHA1, is not a guarantee that it cannot be cracked. There are plentiful sites out there that offer rainbow tables for your convenience. The recent gizmodo snafu shows that a simple hash is as vulnerable as plain text. On a different note *always* mark the cookies HttpOnly. --- appa > Regards > Austin > [2 <text/html; ISO-8859-1 (quoted-printable)>]
