Is my password viewable?

Discussion in 'privacy problems' started by Marca, Mar 10, 2003.

Thread Status:
Not open for further replies.
  1. Marca

    Marca Registered Member

    Joined:
    Mar 10, 2003
    Posts:
    1
    Hi there everybody, this is my first post - hope I'm doing everything right..

    There's a site I'm visiting often (an Admin site) that requires my ID and password. While I'm on this first page, before I type my details in, the "http" on the url does not include an "s". I type my ID and password and click on "enter". Only when I click on "enter" the "http" becomes "https".

    The question is: Is my password viewable when I typed it before the "s" appeared? If not, why are there some other sites that show the "s" BEFORE I have typed my password in?

    Thanks
    Marca
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Hi Marca,

    Welcome to Wilders! Yes, you did this correctly. :)

    Your password is probably safe. I say "probably" only because you didn't say which site, and if the developers of it made some kind of mistake implementing their session login, there could be problems. But, the method itself is not too bad...

    I know of some webmail sites that do this. SSL sessions (https browsing) can be a little expensive in terms of excess overhead (i.e. the extra CPU processing on the server, in particular, needed to encrypt everything that goes up and down the network wire), so some sites only do it the absolute minimum amount required. AOL's web email interface to AOLmail is one of these.

    By only using an SSL session right at the point when you send your username and password (when you press enter) and get authorized back, the website saves these extra resources. It is technically secure, as far as the "password transmission" goes. It is sent fully encrypted during that brief 'back and forth' SSL session. After that, generally the session ID, (or some other key), is used to allow the site to know it's still you.

    Of course, if after the password has been authorized, the remaining pages go back to regular http, then the contents of the rest of whatever you are doing at that site is not going to be encrypted either.

    While total encryption would be desirable from start to end, I don't see this as terrible for some less confidential things done on the web. It keeps the password secure, but not the rest of the session. Obviously, this would be totally unacceptable for things you want kept highly secret, like CC# or banking transactions, and the transmission of other personally identifiable data (name, address, etc.), that you might want to use online.

    Best Wishes,
    LowWaterMark
     
  3. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi Marca & LowWaterMark!

    There's always the possibility to use a packet sniffer to be sure if the traffic is encrypted or not. But I don't want to push you into something which is quite complex! :blink:

    For those who are interested, try this one here:

    http://www.ethereal.com/

    Best regards!

    Patrice
     
  4. The Snowman

    The Snowman Guest

    Well over 90% of my internet use is https......ideally the login page should be https..however, our good friend LowWaterMark explained it exceptionally well an should have calmed any questionables.
    only a couple of comments.......you can place the https site in internet explorer's trusted zone which "requires server verification(https) for all sites in this zone......please note however, the http site does not go there.....place the actual https site there.....it will be differant from the login page,,
    other mentions that may be of interest.....after finishing your session..clean= cache/history/contents......otherwise it may be possible for another user to gain access to the https account.....normally the https session would have expired and access denied to another user...so other than cleaning your tracks this may never be a real problem so consider as just an extra step...if you ever noitice that the session did not expire...contact the webmasters of the site immediately an advise them
    ill health/time restrictions wont permit further comments by me.......is https in and of itself secure..some say it is not....its certainly not within my personal knowledge to discuss that point

    The Snowman
     
  5. luv2bsecure

    luv2bsecure Infrequent Poster

    Joined:
    Feb 9, 2002
    Posts:
    713
    Nice posts LWM and Snowy!

    I have noticed more online providers (webmail, calendars, etc.) that require log-ins offering you the option of a secure log-in. Click on "secure log-in" and it will give you a htpps page. I agree with LWM that the content provider is obviously trying to save resources (read $$$), but at least more are giving you (the INFORMED user) the option.

    John
    Luv2BSecureWhenILogIn
     
Loading...
Thread Status:
Not open for further replies.