This topic contains 1 reply, has 2 voices, and was last updated by tomatojuice1 1 month, 2 weeks ago.
October 16, 2021 at 3:01 am #457270
Let’s say I log into a http website and my credentials are sent as a plain text. Who can actually see my credentials, other than people connected to my network and the website’s network? Everyone mentions “malicious actors” but I can’t imagine how could a random hacker sniff on my traffic when he doesn’t have access to both networks.
October 16, 2021 at 3:04 am #457276
For regular HTTP, anyone who has access to the “wire” (users on the same network as end user, ISP’s, etc) could potentially see the credentials in plaintext. Anyone that can instantiate a MiTM attack on any point during the HTTP exchange can see those details. That’s why SSL is so critical, because it only allows the attacker/sniffer to grab the domain you are accessing – not the exchanged credentials (in simple terms)
October 16, 2021 at 3:04 am #457271
Have you seen the number of router zero days that get released? What about IoT vulnerabilities like default passwords and horrendously insecure firmware which can’t be updated? If you told me you could guarantee that hackers don’t have access to your network, I’d tell you you’re being ignorant.
You also have no control over the security of all the infrastructure between you and your endpoint network. If anyone has visibility of any segment of that infrastructure when your data passes through it, then it is exposed. ISPs and other entities hoover this data up without limit, meaning your data is only as secure as their promise (or cyber abilities) not to share it.
On top of that, HTTP provides no validation that you’re actually talking to who you think you are. The person on the other end might claim they are your bank provider, but they’ve not shown you 2 forms of valid ID to prove it. Would you give your hard earned wages to a bloke on the high street holding a “Bank of America” sign?
As a final point, why would you not bother with SSL/TLS? Any reputable site (particularly any with login capabilities) will default to HTTPS, so you probably have to go out of your way to use HTTP in most cases. It’s a strong indicator of a business’s lack of caring about security. If they can’t be bothered to roll out a free LetsEncrypt SSL certificate, chances are they’ve not conducted a penetration test against their website, and it’s only a matter of time before an opportunistic hacker discovers an SQL injection vulnerability and steals your password stored in plaintext in their database.
TLDR: Just use SSL/TLS.
October 16, 2021 at 3:04 am #457273
Ok so basically a “malicious actor” does not need access to both networks… all they need is a single intercept point. That could be anywhere between your machine and the site you are attempting to access. It’s not like you are using a straight cable between the 2 either… from your machine through your access point your isp possibly other servers before the isp of where you are going then their server. Anywhere in here an intercept can happen.
Adding to that… ssl is no longer the standard being less secure than tls (though many refer to them the same) not to mention if you are not using ssl/tls one could pretend to be the site you are after (always check certificates if unsure, and never use confidential info on an unsecured page)
Nowadays most sites (worth using) will auto redirect to the secure page especially if confidential info is being used/obtained.
Keep in mind that even if you aren’t worried about your own security trying to bypass the work of the netsec team can put others at risk as well.
TL;DR: ssl/tls keeps you, the site, and others safer
October 16, 2021 at 3:04 am #457275
Run traceroute or tracert depending on your OS. Every host on the list sees your data exchange. Every host in the same network as those hosts can try arp poisoning or other attacks to see your data.
It is not as often as it used to, but a lot of small local ISPs don’t configure their nets correctly so anyone in your neighbourhood (connected to the same switch) can do some attacks on your plain-text connections.
Moreover, if you go e.g. to a macdonalds or stabucks or whatever and connect to the network there how are you sure you’re connecting to their network and not some same-named network with a stronger signal that was set up by some attacker?
And then there are all those edge router attacks that other poster mentioned.
October 16, 2021 at 3:04 am #457277
Your web request is routed over literally hundreds of routers and switches before it reaches its destination. Anyone capturing traffic on any of them could potentially intercept your credentials.
October 16, 2021 at 3:04 am #457278
October 16, 2021 at 3:04 am #457279
>Who can actually see my credentials, other than people connected to my network and the website’s network?
The people on the networks in between. You don’t think everyone is directly connected to everyone else do you? And well funded or connected malicious actors (like China) can steal traffic by advertising for that network.
October 16, 2021 at 3:04 am #457280
You just don’t know what happen between you and the other side. There are many things in between. Just like you give your package to a stranger and hope that stranger to deliver your package intact to the receiver. You can do it but should you do it?
October 16, 2021 at 3:04 am #457283
Any active packet sniffer on any network on the path can see it. But even if you think you’re safe, or just don’t care, or even create your own encryption scheme – browsers will complain about being an insecure website, and increasingly scream about it in the future. Unless it’s just a data endpoint, and not a website you plan to make public or user friendly in any way… Just do SSL.
Let’s Encrypt has made it so easy that there’s no good excuse not to anymore.
I would not log into a website anymore without SSL, even from my own networks.
October 16, 2021 at 3:04 am #457284
Well, what you gotta understand is the business point of view of SSL
SSL builds trust, trust brings money.
October 16, 2021 at 3:04 am #457285
You assume a “random hacker” doesn’t have access to both networks. “Random hackers” don’t announce themselves.
Making assumptions is how people get got.
There’s also this thing called cross site scripting.
October 16, 2021 at 3:04 am #457286
You might be underestimating how easy it is for someone to jump onto your local network 🙂
You must be logged in to reply to this topic.