Have you ever wondered if you are secure when you are entering your credentials in your favorite social networking site or while checking your e-mail account?
I conducted a few simple tests to check the security of the data we are sending everyday over the network. You can also do the same in your system. I used Sandcat Browser for this purpose. It is freeware and is helpful to pen-testers. I just intercepted and read the http headers.
I tried with facebook.
As most of us believe that POST method is secure than GET so most of the secure websites today use POST method. I tried to login in facebook with the following details:
The POST request was:
POST /login.php?login_attempt=1 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.8 (KHTML, like Gecko) Chrome/17.0.930.0 Safari/535.8
post_form_id=88ebf381c359e805c0be9a1ec2713bc0&lsd=xNL2N&locale=en_US& email=abcd%40yahoo.co.in&pass=mypassword123& default_persistent=0& charset_test=%E2%82%AC%2C%C2%B4%2C%E2%82%AC%2C%C2%B4%2C%E6%B0%B4%2C%D0%94%2C%D0%84& lsd=xNL2N& timezone=-330&lgnrnd=051419_PLvR& lgnjs=1332850463
Check out the section I have highlighted. You will notice the username and password!!
Header of Facebook
When we talk of GET and POST methods we always say that POST is more secure because it doesnt send data in URLs. But unfortunately POST method sends the request in plain text and not encrypted. So if anyone manages to intercept it they will get your secret data in plain text!!!
Now the question is how these websites like Facebook, GMail and others claim that their websites are secure?
Answer is SSL. SSL enables encryption of all communication between client and server. There is not much difference between GET & POST method if SSL is ignored. When working under SSL all requests are encrypted before sending it over the network. So only data sent by POST are secure when working along with SSL.
So there is no reason to panic cause you are quite safe. Just remember to check for secured connection. You can easily do this by checking the browser address bar for https.
https in addressbar
But even https or SSL is not always secure. I shall cover that in my next post.
Related External Links