So now you think ahhh brilliant this will be nice and secure. So you enter your User Name and your password. Lets assume my name is 'r2d2' and my password is 'security'. Lets have a look at the package that is sent over the so trustworthy Internet.
Cookie: sessionid=1245b528-ae7e-4022-9300-0f580a07f33e:0x409; ASPSESSIONIDCC DRTSCS=NKDGCHNAEPBLGGFDAOHGPAHM\r\n
Authorization: Basic cjJkMjpzZWN1cml0eQ==\r\n
Credentials: r2d2:security
\r\n
Can you spot the password. This is in plain text, I just caught the packet, with wireshark. So lets create a little scenario here. I am sitting in the Library with my laptop over wireless, I want to read my email so I log into the email server. Now someone in the reach of my wireless can sniff the package and get my password. Because this password is used all around uni he can now see everything I see, so my results (mybu), my assignments(h drive), ....
If you want you can use https but it is not enforced.
You can view the whole package here
2 comments:
Well yes, but we knew this. Just like anything password related that is not hashed. Ie. not hashed = plain text. FTP has the same issue.
Ofcourse I don't trust uni email. I use mine as a spam account anyway :P Don't we all?
Uni Wireless is easily accessible form Uni Parking, so be aware :)
Post a Comment