Welcome to WebmasterWorld Guest from 54.226.23.160

Forum Moderators: phranque

Message Too Old, No Replies

HTTPS Does NOT Make Passwords Secure

Does Not Address Server Security

     
9:16 pm on Dec 28, 2016 (gmt 0)

New User

joined:Nov 13, 2015
posts:8
votes: 2


Quote from the OP at: https://www.webmasterworld.com/webmaster/4830145.htm [webmasterworld.com]
Nonsecure Collection of Passwords will trigger warnings in Chrome 56 for www.example.com

Beginning in January 2017, Chrome (version 56 and later) will mark pages that collect passwords or credit card details as “Not Secure” unless the pages are served over HTTPS.

The following URLs include input fields for passwords or credit card details that will trigger the new Chrome warning. Review these examples to see where these warnings will appear, and so you can take action to help protect users’ data. The list is not exhaustive.
....

The new warning is the first stage of a long-term plan to mark all pages served over the non-encrypted HTTP protocol as “Not Secure”.


On the OP's topic, I had a lengthy discussion on this with Mozilla devs. The point I make is that HTTPS does NOT make passwords secure anyway. The vast majority of password thefts occur on the webserver or SQL server of the host, and HTTPS only protects data in transit, not once it arrives at the host.

Sending and storing passwords in plaintext is the issue which ought to be focused on. It has been at the root of almost all of the major security breaches. Forcing the use of HTTPS does absolutely nothing to fix this. In fact, by acting as a 'snake oil solution' for the real problem, it may prevent a proper fix being implemented.



[edited by: not2easy at 4:15 pm (utc) on Dec 29, 2016]
[edit reason] See Sticky/TOS [/edit]

10:08 pm on Dec 28, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month

joined:Mar 15, 2013
posts:1003
votes: 96


Amen, brother! Back when I did web design for clients, I can't tell you how many times I had to give that same sermon... which usually resulted in the client just finding someone to do what they wanted and not give them a hard time.

Seriously... I can't tell you how many e-commerce sites wanted credit cards emailed to them in plain text!
12:35 pm on Dec 29, 2016 (gmt 0)

Preferred Member

Top Contributors Of The Month

joined:Sept 12, 2014
posts:384
votes: 67


encryption is not the correct way to protect passwords


but it is good for PR as it makes it look like they are doing something about the problem
7:09 pm on Dec 29, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:2044
votes: 340


What's your point, though? Nobody's saying HTTPS ensures proper storage of passwords; a web browser has no control over that. Would you say that transferring passwords over HTTPS rather than unencrypted HTTP is not a welcome security improvement?
10:33 pm on Dec 29, 2016 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 31, 2003
posts:9074
votes: 6


Sounds like a straw man argument to me. Using HTTPS protects the transmission of the password, no-one is claiming that it protects the data on the server. From the OP:

Sending and storing passwords in plaintext is the issue which ought to be focused on.


That's two issues, not one, and you are deliberately conflating them to try to make your point. HTTPS helps with the sending but not the storing.
10:52 pm on Dec 29, 2016 (gmt 0)

New User

joined:Nov 13, 2015
posts:8
votes: 2


The point is that giving irrelevant or incorrect advice is never a good idea.

The warning is triggered on the presence of a password field. All the treatises on password handling that I've ever read, say that encryption is not the correct way to process passwords.

The practical consideration is that the inexperienced webmaster might otherwise note that numerous websites are being hacked and passwords stolen, and decide to find out how to protect passwords properly. Thus, he might avoid that happening to his site.

But, he's been told that implementing HTTPS has made his passwords safe. So, he doesn't.
5:59 am on Dec 30, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 891


The point is that giving irrelevant or incorrect advice is never a good idea... he's been told that implementing HTTPS has made his passwords safe
IMO this is only your assumption. I see no evidence anyone is being told that.
9:26 am on Dec 30, 2016 (gmt 0)

New User

joined:Nov 13, 2015
posts:8
votes: 2


Password field present, warning shown. No password field.. no warning shown. Seems like that's telling me there is a password problem.. which will be fixed by HTTPS. Evidence enough to me.

Since we mention evidence though, show me the evidence that MITM attacks are a high priority security risk.

If the real-world evidence of such attacks is so scant (and it is, they barely feature at all in security stats) then why is the whole IT world dedicating a gazillion man-hours of time to protecting against them, even on sites which contain no sensitive information, beyond perhaps a throwaway forum password?

That is not a sensible deployment of personnel, when there are far more serious security issues which urgently need addressing. It's almost like this is being used as an excuse to avoid devoting time or money to the real issues.
10:28 am on Dec 30, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 891


Password field present, warning shown. No password field.. no warning shown
Yes, at first. Then later (to be determined) the warnings will display on all sites not secure.

Also, and this should be of interest to all webmasters, the upcoming HTTP/2 protocol with significant speed increases, is only supported on sites with HTTPS.
1:00 pm on Dec 30, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:2044
votes: 340


Since we mention evidence though, show me the evidence that MITM attacks are a high priority security risk.

The priority is irrelevant, unencrypted HTTP traffic remains a security risk. Are you suggesting otherwise?

From a web browser's perspective, unencrypted HTTP is a high priority issue, relative to all other issues it has control over. Secure storage of passwords is a non-issue, because what do you suggest a web browser should do about that?

They're different issues and you're conflating them.
7:55 pm on Dec 30, 2016 (gmt 0)

New User

joined:Nov 13, 2015
posts:8
votes: 2


You evidently haven't read my writeup on the subject. Browsers should provide hashing.

Unencrypted HTTP a high priority issue? Why? Since MITM is the one and only risk mitigated by HTTPS, at the risk of repeating myself, please justify this assertion with documented evidence of MITM incidents which led to bulk theft of passwords. -Or for that matter, which led to any nontrivial security breach.

From some fairly extensive searching of vulnerability listings I could find only two documented MITM incidents. Neither involved bulk theft of passwords. If you can provide substantially more evidence than that of the danger posed by MITM, then I will accept that you have a point. I'm talking about actual, verifiable evidence though, not theorizing.

If you read the IT press at all, I am sure you will be aware of the massive scale of some of the website data thefts which have occurred in 2016. Many of these involved multiple millions of stolen passwords. Most of these involved attacks on Web or database servers. A few, attacks on client computers or insecure admin-level accounts. None, to my knowledge, involved MITM.

The case for having browsers hash passwords automatically is, I think, overwhelmingly greater than the case for imposing HTTPS on sites which carry no sensitive data.
1:04 am on Dec 31, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:2044
votes: 340


I've read your Mozilla posts. Your ideas don't seem to be gaining much traction.

Man-in-the-middle attacks are an issue with unencrypted traffic, but so is eavesdropping. You "read the IT press," so I'm sure you've heard of Prism. How's that for scale?
11:44 am on Jan 2, 2017 (gmt 0)

New User

joined:Nov 13, 2015
posts:8
votes: 2


I fail to see how Prism is related to this. If a judge orders that data be handed over, then it has to be handed over. If it has been encrypted then it must be decrypted. It is about as far removed from man-in-the-middle as it gets.

I've asked on a number of IT forums for evidence of MITM attacks which led to theft of passwords. So far, the response has been zero. Add this to the paucity of such reports on IT security investigation sites, and you have to admit, it's a strange situation.

The fact that the proponents are not prepared to listen to counterarguments, only makes for stronger evidence that they know it is pointless from a security perspective, but have undisclosed reasons to pursue it.
2:17 pm on Jan 2, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:2044
votes: 340


The NSA, like agencies in other countries, taps into internet communications, and any traffic over HTTP, as well as POP3, FTP and other unencrypted protocols, flows openly and can be read by anyone with access. On a smaller scale, this applies to public/shared wifi networks as well. Rest assured passwords and other sensitive data have been intercepted this way, or the data used as a link in a chain to gain access to other systems. It's a security and privacy problem that needs to be fixed, and that's why HTTPS is being pushed aggressively.

I don't see why you need to downplay one security enhancement to promote another, especially when the latter depends so much on the former: client-side hashing is pointless without HTTPS.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members