Protect your Passwords: Securing login forms using SSL/TLS
If a website's login page allows for insecure authentication, it becomes easy to capture information by an attacker on the same network. When the login button is pressed, data will be sent across the network as unencrypted plain-text. Anyone who’s listening can now capture and analyze transmitted packets that may reveal your hidden passwords.
When you log on to a secure website like your bank, you are expecting to see and definitely notice the lock symbol and/or extended validation "Green Bar" in your browser's address bar. This provides visual assurance that any communications going forward will be secure, and you are now safe to enter your password and hit submit.
Why should you trust a website with your secure information if this protection is not present? The simple answer is, you shouldn't. These days no matter what website it is, there is no excuse not to provide the added protection of SSL/TLS when logging in. This is especially important if the user is connecting through a public, untrusted network.
If your device is connected to a public wireless network such as a coffee shop, mall, or airport, any web browsing done that is not encrypted may be captured by numerous packet sniffing applications. Additionally, man-in-the-middle attacks may also be used to inject malicious packets back to your web browser session.
One of the most commonly used tools for packet capturing is Wireshark; an open-source and free to use packet analyzer developed under the GPL license. There are numerous video tutorials available on YouTube that can teach a novice computer user how to become adept at packet sniffing using this tool. It only takes a quick Google search to view countless video tutorials like the one below to learn introductory information about Wireshark.
At the very least, SSL/TLS would provide the user with some protection against packet capturing and man-in-the-middle attacks when logging into a website on a public network. Although there are also ways to spoof a certificate, the web browser should hopefully warn the user when a certificate does not match the website they are visiting. So if the proper security was applied to the login form, at least the user is offered some protection from Phishing attacks.
Poorly Secured Login forms
It's also important to develop a login form in a way that security is applied properly, and effectively. The form should be hosted on a secure page, and also post to HTTPS. If the login form only posts to HTTPS but is not hosted on a secure page, the originating request may not be secure and could be susceptible to man-in-the-middle attacks. This means that a malicious attacker could modify the request in transit so that it would post to any page they wanted. If an attacker did modify the page's code and intercepted the request, you would have a hard time figuring this out before your credentials were posted to an insecure location. What's more dangerous and definitely not recommended is if you use these username/password combinations on other websites, the attacker will now have access to all of them.
When applying an SSL certificate to a login form, it's important to develop the form with best security practices in mind. A few good resources to start with may be:
- The Web Application Hacker's Handbook
- The Open Web Application Security Project (OWASP)
- Troy Hunt's Blog: Australian Web Security Expert
Not only are SSL certificates becoming cheaper and more widely available, it is also easier than ever to set one up.
Availability of SSL Certificates
SSL Certificates are becoming more widely available to the average website owner, and it no longer requires a lot of money to obtain domain-validation. Services such as Let's Encrypt, a non-profit Certificate Authority that's sponsored by industry advocates like the Electronic Frontier Foundation (EFF) and Mozilla now offer basic SSL/TLS certificates. The service is available for free and they've made the process for updating your certificate as easy as possible.
Although Let's Encrypt is definitely a step in the right direction in terms of enhanced web security, it still may not be suitable for every website. For one thing, this service will only provide basic domain-validation certificates which do not assure that any particular legal entity is connected to the certificate; even if the domain name may imply a particular company controls the domain. With these types of certificates, you are only required to validate an email address that is associated/attached to the domain name itself, and not verify that you are a legal company. For large sites with secure user content, or websites taking payment transactions, a stronger certificate like Organizational and even Extended Validation may be more viable. Purchasing these certificates would be done from one of the many established Certificate Authorities such as Symantec, Comodo, GeoTrust, RapidSSL or Thawte. But for sites that may only be serving read-only and rather insecure content, a free SSL certificate may be sufficient.
The required level of security and cost of an SSL certificate will obviously vary for each website project; depending on the size, purpose, and type of content to be secured. With services like Let's Encrypt offering free domain-validated SSL, and other extremely cheap certificates offered by professional Certificate Authorities, there is no reason that any website should offer an insecure logon form to their users.
So the next time you're signing into an insecure website using an untrusted network, remember that your packets may be sent in plain-text for anyone listening to capture. With a multitude of software and hardware devices available like the Wi-Fi Pineapple, or even a skilled hacker that can write their own tools, you may be unsuspectingly giving them access to your secure information.