SearchSearch   ProfileProfile   Log inLog in   RegisterRegister 

capturing logins/passwords

 
Post new topic   Reply to topic    FirstSpot Forum Index -> Pre-sales Support Forum
View previous topic :: View next topic  
Author Message
baggeh



Joined: 04 Nov 2003
Posts: 9

PostPosted: Mon Apr 12, 2004 10:38 pm    
Post subject: capturing logins/passwords

When you set your wireless nic to promiscuous mode, you can capture all packets - none are encrypted; without having to login to firstspot.

I realise this is a weakness inherent in tcp/ip, but some ssl would be nice :)

Network environment -
1 laptop not logged into firstspot (capturing box)
1 laptop attempting to login to firstspot

Here is an example capture with user/pass at the end

POST /login.php?detectframe=done HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Referer: http://10.20.7.1:5788/login.php?detectframe=done
Accept-Language: en-nz
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: 10.20.7.1:5788
Content-Length: 22
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: PHPSESSID=637b26833299cc9be60bddc0c199305f

name=123456&pwd=123456

-James
Digital7
Back to top
baggeh



Joined: 04 Nov 2003
Posts: 9

PostPosted: Mon Apr 12, 2004 10:49 pm    
Post subject:

btw for those who dont realise, the same goes for credit card details and _every_ other type of transaction done over firstspot
Back to top
kevin
Forum facilitator


Joined: 26 Sep 2003
Posts: 442

PostPosted: Tue Apr 13, 2004 2:24 am    
Post subject:

The coming version 2.1.5, to be released this week (Apr-19) will have SSL option for the authentication pages.

To make the record straight, please be assured that the credit card details you provided to most credit card payment gateways IS ALREADY SSL-enabled; that is the services provided by the payment gateway itself. Just like the case in PayPal, their payment pages IS SSL-enabled. NONE of your credit card details will be shown unencrypted in the air.

~ Patronsoft Limited ~
Back to top
Ton



Joined: 04 Mar 2004
Posts: 13
Location: Barcelona, Spain

PostPosted: Wed Apr 14, 2004 10:00 am    
Post subject: There are solutions to this.

OK, i'm not going to make any promotions for nothing, but wherever i use a WiFi solution i use an encryption account to encrypt the traffic i generate on the WiFi interface. This service is called [product name hidden]and is sold by a company called [company name hidden] is Germany and in Spain.

It's not expensive at all ($120 per year) and it works fine for me. At least it protects me against this kind of problems.

For what it's worth.

Regards,

Ton.
_________________
Still evaluating FirstSpot.
Back to top
Display posts from previous:   
Post new topic   Reply to topic    FirstSpot Forum Index -> Pre-sales Support Forum All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group