Is it possible at all to secure an unencrypted website?

[LenaMsdn08]

We recently had this discussion at work - someone had suggested implementing
single sign-on by passing a random 32-byte key in the query string and match
it against a database that is used by both applications. Both sites are
written in ASP.NET 1.1

It was pointed out that passing this key in the query string was a huge
security hole; anyone who intercepted the request on the Internet could then
use the key to log in.

On the other hand, wouldn't any unencrypted (using http, not https) website
be vulnerable pretty much no matter what you do? For example, even if the
session object is server-side, isn't the cookie that stores the session ID
passed in the HTTP request, so just as well as intercepting the query string,
couldn't someone intercept the cookie and hijack the session?

(My apologies for the lack of correct terminology in this post.)

 

[Joe Kaplan]

Your analysis is correct. If you want it to be secure, you really need to
consider SSL. Session cookies or cookies that supply authentication
information are just as easily intercepted as query string parameters if the
plaintext HTTP data can be sniffed.

 

[LenaMsdn08]

Joe,

Thank you for the information and for getting back to me so quickly - I'll
have to do some more thinking about our site, apparently.

More or less thinking out loud ...

Noticed when I went in to check the newsgroup, that for example the MSDN
login and subscriber download pages are secure, but the MSDN home page and
many other pages without sensitive content are not, which makes sense (secure
pages are slower).

The top right of the page says "Welcome Lena" and "Sign Out" so MSDN must
see me as logged in ... but I assume it's not actually passing any
authentication information on these pages, where someone could intercept it
and use to access the secure download page. I'm sure Microsoft wouldn't let
anyone break in so easily and steal expensive software

Comparing to something I noticed on another website I worked on a long time
ago ... most of the site was unsecure but there were some secure pages, and
the secure and unsecure parts used different ASP Session IDs. That would take
care of keeping the unsecure pages from giving away authentication data for
the secure pages, wouldn't it?

I'm sure there is more to it than that, of course ... I'll work away on it
and see what I can find.

Thank you again for the information, it was helpful!

 

[Joe Kaplan]

Amazon also is a good example of maintaining some notion of who you are but
switching to secure mode for actual ordering operations and other similar
stuff.

Once way to do this is to ensure that your actual authentication cookies are
set with the Secure flag so the browser will only return them on a secure
channel. You could have a personalization cookie that cannot be used to
access secure resources that still indicates who the user is.

Essentially, this type of thing needs to be designed thoughtfully to be
effective. Microsoft has some good guidance around developing threat models
to help you understand what the threats are and how to mitigate them.

And yes, if you use gmail without HTTPS, someone can steal your
authentication information and possibly read your mail. I recommend you not
do that.

 

[LenaMsdn08]

Joe,

Thanks again for your insights - this gave me a lot of good ideas. I will
look for more security info on Microsoft's website too

 

[Allen Chen [MSFT]]

Hi,

In addition to what Joe said I'd like to provide some general
documentations FYI.

http://msdn.microsoft.com/en-us/library/aa302426.aspx
http://www.devx.com/security/Article/20898

If you have additional questions please feel free to let me know.

Regards,
Allen Chen
Microsoft Online Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

Note: MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 2 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions. Issues of this
nature are best handled working with a dedicated Microsoft Support Engineer
by contacting Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Allen Chen [MSFT]]

Hi Lena,

Have you got the expected answer? If you have additional questions please
feel free to ask. I'll do my best to folow up.

Regards,
Allen Chen
Microsoft Online Support