AKLUG Archive: [aklug] Re: State of Alaska Security / SSL

From: Scott A. Johnson <scott.a.johnson@gmail.com>
Date: Thu May 20 2010 - 08:50:18 AKDT

Thanks for the info Kevin, Joshua, and Royce. All good info and
ideas. Another thought though - does this type of security make a
login any more vulnerable to brute-force attempts than a POST form
type? Seems like it may be easier for some automated scripts to poll
a list of set URLs if you will than having to load a page, fill out a
form, and post it. I wonder if there is a login-count process
associated with this login method that will lock out accounts if the
wrong password is used too many times.

Scott

On 2010-05-20, Kevin Miller <atftb2@alaska.net> wrote:
> On 05/20/2010 08:23 AM, Scott A. Johnson wrote:
> > I noticed something the other day when logging into the State's
> > "MyAlaska" service, which seems to be a portal the State is using to
> > bring more and more state services online such as applying for a PFD.
> > Anyhoo, in the static URL/query string are my username and password!
> > For example, the URL I received was
> >
> > https://palm.state.ak.us/amserver/UI/Login?Login.Token1=USERNAMEHERE&Login.Token2=PASSWORDHERE&goto=https://myalaska.state.ak.us/home&gotoOnFail=https://myalaska.state.ak.us/home/app
> >
> > If anyone wants to reproduce this, just substitute USERNAMEHERE and
> > PASSWORDHERE with the appropriate values. My question is: is the URL
> > string of an HTTPS session encrypted along with the actual data of the
> > page? Or is the URL sent plain text before SSL is established, and
> > therefore someone could get my username and password just by the URL
> > regardless of HTTPS/SSL? What about server logs or client side
> > history - wouldn't the goodies be cached and/or retained in these
> > areas?
> >
> > Other thoughts?
>
> Load Wireshark and start capturing the packets, then fire up your
> browser and go to the site the normal way. You'll be able to see
> exactly what's transmitted and when...
>
> ...Kevin
> --
> Kevin Miller - http://www.alaska.net/~atftb
> Juneau, Alaska
> In a recent survey, 7 out of 10 hard drives preferred Linux
> Registered Linux User No: 307357, http://counter.li.org
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.
>
>

-- 
Scott A. Johnson
scott.a.johnson@gmail.com
http://scojo.us
mobile: +1.907.240.2483
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.

Received on Thu May 20 08:50:30 2010

This archive was generated by hypermail 2.1.8 : Thu May 20 2010 - 08:50:30 AKDT