Wifi in public places - stay protected?

ncjok · 14 Jul 2010 at 05:49

tntcoder said:
Yer, if you look in the source for Vbulletin, there is a Javascript implementation of MD5.

When you press Log In on this forum it fires:

<code snip>

So essentially it is as you describe, except it is hashed in the users browser, then sent to the database and compared to the stored hash. This removes the major weakness of transmitting it exactly as is in plaintext form (hence protecting it from trivial sniffing).

The reason I questioned it was because I thought I had looked into forum logins a couple of months ago and found the process to be conducted in plain text. I also checked a few other places I have accounts and reconfigured my mail client to use TLS despite not seeing any information on the host's site. It was a long, long time since I had played with Ethereal, now Wireshark.

With regard to the OcUK forums it is entirely possible I am just going mad and didn't previously look at this case. Sure enough, a quick bit of packet capture just satisfied my curiosity. Thanks for pointing the JavaScript out

ncjok · 14 Jul 2010 at 06:27

Just as an aside, it appears that logins to OcUK Trust are conducted in plain text. This seems a somewhat inconsistent implementation.

tntcoder · 14 Jul 2010 at 06:39

ncjok said:
Just as an aside, it appears that logins to OcUK Trust are conducted in plain text. This seems a somewhat inconsistent implementation.

Good point about Trust

good example of a third party plugin that brings down the security of the whole system, being the weak link.

Conrad11 · 14 Jul 2010 at 12:32

On the subject, would the university library be secure enough to access my webserver? I need todo some development and will be accessing CPanel and using FireFTP? I think you need your own university login to access these machines.

I know it may sound like a stupid question but I just want to be sure.

tntcoder · 14 Jul 2010 at 15:49

Conrad11 said:
On the subject, would the university library be secure enough to access my webserver? I need todo some development and will be accessing CPanel and using FireFTP? I think you need your own university login to access these machines.

I know it may sound like a stupid question but I just want to be sure.

I would use SFTP (Secure-FTP) if your web host supports it, as FTP sends the username & password in plaintext and anyone in your University lab (wired or wireless) could steal it trivially. FireFTP support SFTP so you should be good to go as long as your webhost supports it. Pretty sure CPanel is fine as well as it uses SSL.

Otherwise, things to worry about would be keyloggers stealing the details as you type them in, but Universities are generally quite good with AV scans so you can probably brush that risk aside.

gibb · 16 Jul 2010 at 20:11

I think someone mentioned it but always be on the lookout for any certificate problems when using https. The methods which most people might try to use in public wifi usually cause problems with these and your browser should tell you.