Community
Select to view content in your preferred language

Password Encryption at Transport layer??

2835
6
Jump to solution
06-06-2013 12:57 PM
DanielSmith
by
Frequent Contributor
‎06-06-2013 12:57 PM
noticed that when using Fire Bug the 'Post Get token' to access secure map services show the user name and password as plane text. is this getting encrypted at the transport level?

[ATTACH=CONFIG]25096[/ATTACH]
Preview file
8 KB
Preview file
28 KB
0 Kudos
1 Solution

Accepted Solutions
by Anonymous User
Not applicable
‎06-06-2013 05:50 PM
Original User: D.E.Smith99

Holy Jesus!!! are you reading my mind (or rather my traffic (: )?  totally digging into wireshark now. Will Let you know what i find.


ok. here it is.

1) booted up wire shark
2) opened browser and activated Fire Bug
3) navigated to and logged into web app
4) isolated the 'POST Generate Token' that was showing username and password as text in Fire Bug.
5) noted the time stamp
6) back to wire shark
7) filtered by tcp.port ==443
😎 Identified two frames based on filtered port, source and destination IP addresses, time stamp, and payload
9) dug through the packets looking for username and password or other indications.
10) located the SSL branch in the tree and the encrypted application data

i am still looking through the wire shark documentation to fully understand the information and learn a thing or two. But the application data is encrypted no matter what Fire Bug is telling me.

you seeing same stuff on your end Dev01?

View solution in original post

0 Kudos
6 Replies
by Anonymous User
Not applicable
‎06-06-2013 02:03 PM
Original User: GISDev01

noticed that when using Fire Bug the 'Post Get token' to access secure map services show the user name and password as plane text. is this getting encrypted at the transport level?

[ATTACH=CONFIG]25096[/ATTACH]


Yes. Look into how "HTTPS" works. That S makes all the difference.

However, Esri has a long way to go to providing Enterprise Level security in an out-of-the-box solution (not referring to this question in particular).
0 Kudos
DanielSmith
by
Frequent Contributor
‎06-06-2013 02:26 PM
Indeed HTTPS. Just wanted to make sure that at the transport layer this was actually getting encrypted. Thnx for the assurance GISDev01.

ESRI folks care to comment on this?
0 Kudos
by Anonymous User
Not applicable
‎06-06-2013 03:24 PM
Original User: GISDev01

Indeed HTTPS. Just wanted to make sure that at the transport layer this was actually getting encrypted. Thnx for the assurance GISDev01.

ESRI folks care to comment on this?


If you want to see what is going over the wire, and as a fun research opportunity if you want to know more about Network Security, go ahead and install Wireshark and watch all of the traffic going over the wire and you will find your answer. I'm actually interested in what you find because I haven't looked at that traffic yet. I will check it later tonight myself.
0 Kudos
DanielSmith
by
Frequent Contributor
‎06-06-2013 04:01 PM
If you want to see what is going over the wire, and as a fun research opportunity if you want to know more about Network Security, go ahead and install Wireshark and watch all of the traffic going over the wire and you will find your answer. I'm actually interested in what you find because I haven't looked at that traffic yet. I will check it later tonight myself.


Holy Jesus!!! are you reading my mind (or rather my traffic (: )?  totally digging into wireshark now. Will Let you know what i find.
0 Kudos
by Anonymous User
Not applicable
‎06-06-2013 05:50 PM
Original User: D.E.Smith99

Holy Jesus!!! are you reading my mind (or rather my traffic (: )?  totally digging into wireshark now. Will Let you know what i find.


ok. here it is.

1) booted up wire shark
2) opened browser and activated Fire Bug
3) navigated to and logged into web app
4) isolated the 'POST Generate Token' that was showing username and password as text in Fire Bug.
5) noted the time stamp
6) back to wire shark
7) filtered by tcp.port ==443
😎 Identified two frames based on filtered port, source and destination IP addresses, time stamp, and payload
9) dug through the packets looking for username and password or other indications.
10) located the SSL branch in the tree and the encrypted application data

i am still looking through the wire shark documentation to fully understand the information and learn a thing or two. But the application data is encrypted no matter what Fire Bug is telling me.

you seeing same stuff on your end Dev01?
0 Kudos
by Anonymous User
Not applicable
‎06-07-2013 04:28 AM
Original User: GISDev01



you seeing same stuff on your end Dev01?


Sure am, I just tested it this morning. I did a string search through all packets within a 30 second window of submitting the credentials and there is no match for my username or password anywhere to be found. I then isolated the SSL traffic and it matches the source and dest. IP and timestamp, so we do both have proof it is being encrypted.

According to Squillman at Serverfault, "Yes, POST data should be encrypted. Everything in the HTTP request should be encrypted in an SSL conversation. Firebug gets its info after SSL data has been decrypted by the browser. "
http://serverfault.com/questions/106905/is-post-data-encrypted-over-an-ssl-connection
0 Kudos