Explaining to Client Vulnerability of a Form Not Protected by https/SSL

Shai's picture

Hi Folks,

I want to accurately describe to a client the vulnerability of a form collecting data over http.

I understand that over unprotected wifi a person could "listen" and grab data passing from someone submitting info to the form.

What I don't know is how hard it is for someone to "sit" on a particular form and collect data being submitted to the form from people who do share a network connection with the person trying to steal the information.




Packet Sniffing Is Possible

jasonkryst's picture

You do mention an interesting security vulnerability. The attacking party would have to man in the middle between the user accessing the form and the end location of the form. If you are on the same network it is much easier to do, as you can sniff out those packets of the target machine that you want to snoop. Over a wider base, it is more difficult to do, unless you know of the target machine that you want to drop in the middle of. Through packet sniffing and knowing your target, any machine can be snooped. All you really need is a network card that allows for promiscuous mode and a good tool such as Wireshark. Thereafter, there are any number of possibilities as network traffic is typically broadcast across the entire LAN. Once you overlay SSL, it become much more difficult to hack.

If you are requesting personal information (other than name, email, etc) you should SSL the form. It's good policy and ensures data security for your users.

SSL also aims to create

greggles's picture

SSL also aims to create confidence that you are sending the information to the right place. If someone inspects the certificate associated with the site they can see who the organization is and gain more trust that they are submitting information to the organization they want to.

For example, I know that I want to submit this comment to groups.drupal.org. If I look at the certificate I can see that my browser has a geotrust certificate in it. And geotrust verifies that RapidSSL gave this certificate to *.drupal.org. So, I can have a bit more confidence that the information I'm submitting is going to the drupal.org server.

There's still the risk of xss on an ssl page that could alter the destination of my information, of course, but SSL helps me know that I'm dealing with the right party and not getting phished.

SSL is a good thing (tm)

perusio's picture

Indeed SSL provides two things:

  • Endpoint authentication: Making sure that you're really talking to server X
    owned by a given entity.

  • Confidentiality of the data: encryption of the data exchanged between client and

Here's a good set of guidelines for a secure SSL configuration for all web servers: nginx, Apache or Lighty: https://bettercrypto.org/static/applied-crypto-hardening.pdf.

Note that SSL is not fool proof. It depends on the user awareness and on the Certficate Authority policy. That being said is definitely a step in the good direction.

Also as much as possible avoid mixed mode (HTTP/HTTPS). IMHO the best approach is to stay over once you're logged in.