Bournemouth University email security

At Cern we are can use Microsoft Outlook Web Access©, so I thought is this as secure as at my Uni (a little sarcasm here). Yes, it is far more secure, everything is done over https (you have to use it). But because of the horrible state of security at Bournemouth I want to enlighten some people. If you access the uni mail through a web browser you get a pop up dialog similar to this

So now you think ahhh brilliant this will be nice and secure. So you enter your User Name and your password. Lets assume my name is 'r2d2' and my password is 'security'. Lets have a look at the package that is sent over the so trustworthy Internet.

Cookie: sessionid=1245b528-ae7e-4022-9300-0f580a07f33e:0x409; ASPSESSIONIDCC DRTSCS=NKDGCHNAEPBLGGFDAOHGPAHM\r\n
Authorization: Basic cjJkMjpzZWN1cml0eQ==\r\n
Credentials: r2d2:security
\r\n

Can you spot the password. This is in plain text, I just caught the packet, with wireshark. So lets create a little scenario here. I am sitting in the Library with my laptop over wireless, I want to read my email so I log into the email server. Now someone in the reach of my wireless can sniff the package and get my password. Because this password is used all around uni he can now see everything I see, so my results (mybu), my assignments(h drive), ....
If you want you can use https but it is not enforced.
You can view the whole package here

2 comments:

vext01 said...

Well yes, but we knew this. Just like anything password related that is not hashed. Ie. not hashed = plain text. FTP has the same issue.

Ofcourse I don't trust uni email. I use mine as a spam account anyway :P Don't we all?

jarek said...

Uni Wireless is easily accessible form Uni Parking, so be aware :)