What exactly does SSL protect in a web site forum/mail?

I always thought ssl was for banking only but then on a web forum that I frequent someone complained that it's not secured by ssl.

Many others said "why do you care?" since they said ssl is only for banking. One devil's advocate kept saying that ssl also protects more.

So I'm confused.

On the site I have a few things that I'd like to keep protected. Does ssl protect them?

  1. I have a login account name and a password.
  2. The site has "internal" private messages.
  3. The site has "external" public discussions.

Which of these things are protected by ssl? And if they're not protected, who can see them?

Reply to
Alice J.
Loading thread data ...

On Saturday 23 Jan 2016 14:26, Alice J. conveyed the following to alt.os.linux...

If the website supports SSL, then the URL in the browser's address bar will show "https://" instead of "http://". All that does, however, is encrypt the traffic between your computer and the website, as Marco said.

Unencrypted traffic can easily be analyzed by way of packet sniffers ? in other words, someone could intercept the traffic between your computer and the website and could glean your login and your password ? and SSL/TLS encryption makes that a lot more difficult.

Now, on account of those private messages, I myself am an administrator at a web-based forum, and most forum engines are based upon a PHP front- end and a MySQL back-end. Private messages, like the forum threads and forum posts themselves, are not stored in any encrypted format ? albeit that the server itself may have been set up with an encrypted filesystem ? but are simply stored in SQL database files.

Hope this was helpful. ;)

Reply to
Aragorn

SSL "protects" the data in transit between your PC and the server by encrypting it.

Once it's on your PC or on the server, the data is protected by whatever security methods are instituted by the management of the stored data, if any.

Many Web sites are quite sloppy about how they store user data, often leaving userids, passwords and other sensitive data stored with no encryption.

How do you protect the data on your own PC?

Reply to
Bert

I don't. But I assume my router is protecting that. The router has the bulk firewall. And the router has the passphrase.

Are you saying my neighbors can read my ssid passphrase?

Reply to
Alice J.

Certainly not.

Somebody can enter the house in your absence and have a look at your computer. How do you protect the machine? Do you have a hired gun to protect it? Realistically, are your hard disks fully encrypted?

That's one aspect, you can consider more.

For instance. Anybody in your house can connect an ethernet cable to your router and immediately gets access to your entire local network, not needing to find out your WiFi password. Are you using firewalls on all your local machines, are they kept updated, do you follow secure practices on all of them?

Particularly, anybody connecting such a cable would be able to listen to all your web traffic to sites that do not use SSL. Do you live alone in your house, do you have room mates? They could read it all. Perhaps sniff your password and pose as you. Perhaps you use that same login/password on other sites, so they would try whatever site they think to try. I know people that use the same pin for their bank as for email...

Probably not.

Reply to
Carlos E. R.

Without ssl/tls anyone could be able to snoop your login/password. Quite many uses the same password to more than just one site, it could in some cases lead to that the snooper could login to your paypal, skrill or to your online bank account.

With ssl/tls all the traffic that goes over https will be protected so that no everyone can see the traffic that goes between you and the site, there are of course cases where the ssl/tls implementation has been bad and made it easier to decrypt the data, for example the schannel vulnerability (microsoft) and heartblead (openssl). Even buggy ssl/tls implementation is better than none.

Reply to
J.O. Aho

I am very confused so if I try to explain below, can you or someone fix where I get it wrong and where I don't get it quite right?

MY NETWORK: I have two kids, both have ipads and one has a windows laptop all connected by wireless air while I have a linux laptop which is always also using the wireless air.

We all share a windows desktop and an old HP laser printer both of which are connected by wire to the netgear "n" wifi router.

MY ROUTER: The Netgear "n" router only has three things wired to it which is the printer and the windows desktop and the comcast modem.

Everything else is connected by wireless air.

The wpa2 login and password are that which is printed on the label of the router, which is said to be unique to the router.

There are no mac filters or any other fancy protections added. The SSID is told over the air and is not told to be hidden.

MY INTERNET: I have comcast 50Mbps but it is sometimes 90Mbps on the desktop. It's something like 30Mbps on my laptop by air over speedtest.

I have many neighbors on comcast but I do not know if they are on the same "network" which someone said can happen. (Can that happen? How would I know?)

MY ASSUMPTION: Let's assume we make ZERO connections by SSL to web sites for the purpose of this discussion. So nothing is encrypted on its way through comcast to the internet and back to the modem. (I repeat we assume only http and not https.)

And let's assume that we have a perfectly normal network at home and at comcast (some of which is explained below).

I assume the devices connected by wireless air are using the wpa2 encoding that the router provides so I assume that my neighbors can not "see" what web sites the kids and I go to and what passwords we type. I also assume for the same wpa2 reasons that the kids can't see what web sites I go to or my password and I assume I can't see what web sites the kids go to and what password they type.

If this is not the case, please let me know. I assume that the computer that is WIRED to the router does not enjoy this protection privilege. I assume that if I wired my laptop to the router that I could see what web site the kids are going to on the desktop that is wired to the router and what they type as a password.

I assume my neighbors on comcast can not see any of the websites nor passwords we type, but I assume anyone INSIDE of comcast CAN see what websites and passwords we type.

This is important to nail down because I assume my neighbors (who are technically very savvy) can NOT see my websites and my passwords so this is important to iron out!

How much of my assumptions are correct and how much are wrong? I would like to learn so assume only http and not https and assume a perfectly normal connection otherwise.

I'm mostly concerned with the web sites and logins and passwords of the http sites being known inside the house on the network on the wireless devices and outside the house both by my neighbors and by the path that my connections take on the internet.

Reply to
Alice J.

If you have the skills, I would change that password, there been enough of stories that the "password is unique" while all the sent out routers had the same password.

They will be in the same network as your comcast router is on the external network and most likely they will be able to see traffic from other routers in the network, if they have the skill to do so.

The communication between the wifi devices and the router will be encrypted while in the air, but after that it's in clear text. The wpa2 can be cracked too, if someone has the will and time.

All your comcast neighbours could still access the data sent from your router to the servers on the internet and get your login/password, also all gateways/servers that the traffic passes on the way to the server to which you are logging in can read your login/password.

This requires you to use SSL/TLS for all your communication with devices/servers outside your comcast router, otherwise they will be able to see the traffic in plain text.

Reply to
J.O. Aho

Bad idea. Change at least the password. Otherwise it is very possible that out there is the algorithm to generate the password. The company obviously generated the password somehow.

Also all of the data going along the wires (Windows, printer, Comcast modem) will be in the clear. And what the comcast sends out onto the net will be in the clear. The wireless protects ONLY the stuff going from the computers to the router.

From what I know, hiding it does nothing for security anyway.

If you mean via the wireless, then, assuming that the wpa2 is not broken, (It is I believe no longer the strongest of encryption)

That is less clear since the router is approachable by both. And if someone gets into the router then all games are up.

Well, why don't you use https rather than http? I would not make this assumption.

Then use https.

Reply to
William Unruh

Note

formatting link
and links therein.

which shows how to crack a wpa2-psk password ( which is almost certainly what you are using).

Reply to
William Unruh

Not by just attaching a cable to an unused router port.

Reply to
default

That method depends on the rainbow tables of commonly available pass phrases. It's also for WPA2-PSK, not WPA2-AES.

I hate security discussions, but can't resist...

The real problem with home wireless security is that the pass phrase is shared with everyone that uses the wireless router via Wi-Fi. If an evil hacker can obtain access to any one of the multitude of devices that connect to the system, they can extract the pass phrase. It may not be the actual pass phrase, but can also be the hash phrase used by the key exchange protocol. For example: You'll also find various WPA/WPA2 recovery tools for Android devices that have been rooted.

Most home users don't have a clue that someone else might be using their home wireless router. There are tools for finding "unauthorized" Wi-Fi users. Detecting a problem is as important as preventing a problem: (The original AirSnare home page went away after Comcast killed off their users free home pages).

There is a solution for the shared key problem, but router vendors seem unwilling to use what's already available. WPA2-AES-Enterprise, instead of WPA2-AES-PSK (pre-shared key) assigns a unique password to each user session. Nobody has a password saved on their machine. Should someone sniff the traffic, and extract the session password, the extract pass phrase is only good until the key is renewed. It also can't be used to decrypt other users sessions.

The best compromise is to either setup or use an online RADIUS server to handle the authentication. Plenty to choose from with the growth of cloud based services: However, that means the use of your wi-fi security system is dependent on an offsite vendor, which might cost your money. You can roll your own with FreeRadius on your home Linux server:

Reply to
Jeff Liebermann

Note that article describes a "dictionary attack". It doesn't guarantee to be successful. It depends on the "strength" of your password, essentially how unguessable it is. That's why guidelines say to use a long and random password. Dictionary attacks will not crack a password composed of random characters. Unfortunately they are hard to remember. Fortunately wifi passwords don't have to be remembered.

Most likely the password printed on your router is random characters, but maybe not very long. I agree with those who urge you to change it. As a parent, one worrisome scenario is one of my kid's computer-savvy friends is visiting, sees my router, picks it up briefly and memorizes the password printed on the bottom!

Reply to
default

Yes by just attaching a cable to an unused router port. There are ways to hijack traffic on a LAN.

Reply to
Pascal Hambourg

I understand that the password quality matters but it doesn't matter for the purpose of this question which is to understand what happens under normal conditions.

Basically I'm asking about a "classroom" discussion on how the wpa2 works to protect my http logins and passwords between the kids and my computers and the point that it leaves the router over a wire to the cable modem.

I looked inside my router setup ever since this thread started and while there is a basic log file, I can see nowhere where it tells me the http sites I went to and what my kids or my login/passwords are in the clear.

If this can happen, how would "I" see my neighbor's traffic? I have installed tcpdump and wireshark already. $ sudo apt-get install tcpdump wireshark $ sudo tcpdump -i wlan0 -w neighbors_traffic.pcap $ wireshark neighbors_traffic.pcap

I don't see my neighbor's traffic in those results. I realize that is probably because I am only looking at my network.

How do I get tcpdump to look at my neighbor's traffic?

Reply to
Alice J.

At this point, I'm trying to understand the BASICS of home network security when entering logins/passwords into http web sites.

At this point, I would not assume I am being attacked by someone who is already inside the house.

I want to first understand the basics, which EVERYONE already has.

It seems that half the people told me that the wpa2 from the router is protecting the http logins and passwords while the other half said that this is not the case.

It's very important to first nail down what can easily be seen in wpa2 traffic over the air by neighbors before we jump to a threat level that assumes men clad in black are sneaking around the house inserting cables into my router.

Basics first.

Reply to
Alice J.

Remember that most home routers have a switch in there. If they are good, traffic will be isolated, but most are cheap. In any case, you get access to the local network.

Reply to
Carlos E.R.

It does, for those that listen on the radio. Not for those that connect with a cable to your router.

There was also the comment that other radio protection schemes are easily breakable, like WEP.

Nobody says they are doing it. We just say that it is possible to do it.

It is like not locking your car or your house. Perhaps nothing happens, but you are aware that it can happen.

Reply to
Carlos E.R.

There has been cases where the ISP creates what seems a random password, but someone found that the algorithm did not create really random password and they could be found out from the SSID. And they published a program to find out those passwords.

Reply to
Carlos E.R.

Basically it means that everything that passes on the air is encoded. A person with suitable hardware can listen to the radio traffic, but he can not "understand" the text.

Obviously a good home router will not record that data, it has no reason to do so (and eats many resources). When people want to do it, they connect another computer to one of the sockets of the router (actually, a switch) in order to listen to the traffic. More expensive switches can define a port for this usage: all traffic on all ports is replicated on this special socket. It is the external computer which does the job of listening.

And typically what we do is get stats, not specific data.

It is not that simple, because you need different hardware to connect to the external cable and read the traffic there. The normal router supplied by your ISP will not allow it. But other types of router would.

I'm guessing a bit here, I live in a different country, so I have not seen the exact hardware comcast uses.

Reply to
Carlos E.R.

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.