Suggestion: Protection against MIM/port sniffer attacks :: Zikula Community

Print topic

Start ::
Community ::
Feedback & Suggestions ::
Suggestion: Protection against MIM/port sniffer attacks

Moderated by:
Support

Suggestion: Protection against MIM/port sniffer attacks

Posted: 10.04.2005, 22:55

rank:

Helper

registered:

December 1969

Status:

offline

last visit:

13.05.05

Posts:

145

PostNuke should include some protection against Man-In-the-Middle and port sniffer attacks. Currently, PostNuke sends plaintext username and passwords making it all to easy for anyone with a port sniffer (like ettercap or ethereal) to see the username and password. (if you don't believe me, i can take some screenshots to show you)

My suggestion is:
PostNuke should use javascript (when available) to encode the user name and pass word before sending. There is a javascript md5 library available at http://pajhome.org.uk/crypt/md5/index.html which was released under the BSD license.

For a live example, see http://login.yahoo.com
- notify mod
Posted: 11.04.2005, 06:18

rank:

Professional

registered:

October 2004

Status:

offline

last visit:

08.01.07

Posts:

999

Man in the middle? I've had dreams about that ...

--
Over 500 Xanthia and AutoThemes

XanthiaThemes.com

AutoThemes.com
- notify mod
Posted: 15.04.2005, 10:01

rank:

Softmore

registered:

July 2004

Status:

offline

last visit:

24.03.06

Posts:

82

thats not a bad idea ^_^ a small rewrite to the login system blam there u go ^_^

once i got the my new PostNuke is up again I will give this a try ^_^
- notify mod
Posted: 16.04.2005, 00:45

rank:

Helper

registered:

December 1969

Status:

offline

last visit:

13.05.05

Posts:

145

for a good overview, examples, and the javascript library,
see http://pajhome.org.uk/crypt/md5/chaplogin.html
- notify mod