On 05/20/2010 08:23 AM, Scott A. Johnson wrote:
> I noticed something the other day when logging into the State's
> "MyAlaska" service, which seems to be a portal the State is using to
> bring more and more state services online such as applying for a PFD.
> Anyhoo, in the static URL/query string are my username and password!
> For example, the URL I received was
>
> https://palm.state.ak.us/amserver/UI/Login?Login.Token1=USERNAMEHERE&Login.Token2=PASSWORDHERE&goto=https://myalaska.state.ak.us/home&gotoOnFail=https://myalaska.state.ak.us/home/app
>
> If anyone wants to reproduce this, just substitute USERNAMEHERE and
> PASSWORDHERE with the appropriate values. My question is: is the URL
> string of an HTTPS session encrypted along with the actual data of the
> page? Or is the URL sent plain text before SSL is established, and
> therefore someone could get my username and password just by the URL
> regardless of HTTPS/SSL? What about server logs or client side
> history - wouldn't the goodies be cached and/or retained in these
> areas?
>
> Other thoughts?
Load Wireshark and start capturing the packets, then fire up your
browser and go to the site the normal way. You'll be able to see
exactly what's transmitted and when...
...Kevin
-- Kevin Miller - http://www.alaska.net/~atftb Juneau, Alaska In a recent survey, 7 out of 10 hard drives preferred Linux Registered Linux User No: 307357, http://counter.li.org --------- To unsubscribe, send email to <aklug-request@aklug.org> with 'unsubscribe' in the message body.Received on Thu May 20 08:45:03 2010
This archive was generated by hypermail 2.1.8 : Thu May 20 2010 - 08:45:03 AKDT