Exactly... http is transmitted in plain text accross networks and anyone can sniff it out. Subnet is not even an issue if it's a public page. It is insecure for your system as well. Don't forget when you submit from another location on the internet you are sending that data through switches and routers that all see your username and password in plain text. If it's all internal with no outside access that's different but when you make it public it's a bad idea.
As a general rule. If it's plugged in, it's accessable, it's vulnerable in some way. If you want to see some sniffing in action download 'cain and able' from oxid.it or ethereal and you'll see how easy it really is. Scary how easy it is actually... Vance . ----- Original Message ----- From: "George Gallen" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Tuesday, February 15, 2005 2:27 PM Subject: RE: [U2] UV to Web interface > yes, but if someone is sniffing the lines, unless the initial page is > a https:// page, the username and password will be transmitted across > the internet in plain text. Generally this isn't a problem, but if you > are on a cable line, anyone on that subnet could realistically view > the username/password, for future playing. > > It isn't so much insecure for your system, but insecure from the users > standpoint. > > George > > >-----Original Message----- > >From: [EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] > >Sent: Tuesday, February 15, 2005 2:08 PM > >To: [email protected] > >Subject: Re: [U2] UV to Web interface > > > > > >Vance wrote: "Will, In one of your responses you said you > >added username and pwd to the form. I hope this form is not > >web accessible, and if it is, you should atleast be > >serving it ssl. Way to easy to sniff in pure http.... Just my > >2 cents..." > > > >Vance not sure why you think it's insecure. It's not like > >they can make up any old username and password. It's still > >validated against the Windows system username and password. > > The reason I had to add it, is that without it anyone could > >run any command they wanted since it would have logged in with > >a static username and password every time. > > Since the page will be accessible to the outside, I need > >some way to prevent anyone from running any command. So now > >they have to at least be validated through the Windows password system. > >Will > ------- > u2-users mailing list > [email protected] > To unsubscribe please visit http://listserver.u2ug.org/ ------- u2-users mailing list [email protected] To unsubscribe please visit http://listserver.u2ug.org/
