PDA

View Full Version : Site Manager should login securely (and not in cleartext)



xyster
08-15-2004, 08:09 PM
I've noticed that the Site Manager application sends the administration username and password out in cleartext.
This means that anyone on your wired LAN, outside eavesdropping on your Wi-Fi, a neighbor using a cable modem like yourself, or someone sitting on the internet route between your machine and WestHost can learn your password and hi-jack your website.

Is there a way to change this? It should be secure by default!

WestHost - MMellor
08-16-2004, 11:06 AM
Hello Xyster,

We provided access to the Site Manager via standard HTTP (as opposed to SSL) to increase performance. Anyone who would like to log into their Site Manger via SSL can simply modify the URL for their Site Manager login screen to begin with HTTPS instead of HTTP. If you have any questions on this please let us know.

xyster
08-16-2004, 01:01 PM
Thank you for the quick reply.
I ended up modifying ~/www/cgi-bin/.admin.redirect.sh
Is there a cleaner way to do this?

WestHost - MMellor
08-16-2004, 02:07 PM
Hello Xyster,

Well you could just put in the https://www.yoursite.com/manager as your bookmark and then just go there to access your site. That is probably the easiest and cleanest way that I can think of to do it. Let me know if you have any other questions.

xyster
08-16-2004, 03:39 PM
That is what I initially tried. However, I got a "connection refused" error.

jalal
08-17-2004, 02:06 AM
Same here...

FZ
08-17-2004, 12:25 PM
Does not work for me either. If https://domain.com doesn't work, then how can https://domain.com/manager/ ?! I think one would need to install Open SSL explicitly via their Site Manager (assuming they have it available, I don't think the starter package does) before https:// on their domain would work.

Here's a way to use a secure login without installing anything: go to http://domain.com/manager/ which forwards you to the login form located on the server you are on, an address in this form:

http://69.36.161.1yy/php/login/login_screen.php?vds_ip=domain.com&uid=xxxxx&tz=MD T&vds_server_ip=69.36.161.1yy&greseller=69.36.161. 101%2Fgrs%2Fget_skin.php

Where yy is the server you are on, domain.com your domain and xxxxx your numerical user ID (note: there may be other differences in the URL you are forwarded to).

Just change the http:// to https:// and it works... Noticeable decrease in speed, though - understandable why WestHost made it non-secure by default!

Suggestion for WestHost: have a link to a secure version of the login on that page - will save a lot of trouble and will give peace of mind to those that require it.

wildjokerdesign
08-20-2004, 07:25 AM
I was thinking about this and was wondering how important it really is to run Site Manager through a secure connection. I have always thought that on a form that if it is a password field the info entered is "hidden" when submited. There are many accounts I have out there that although the interface itself is a secure connection the login page is not. Even my bank login page is not an https but then when I hit the submit the form is submitted to the script that is https/secure.

Anyone have any comments on that. Am I wrong on my assumptions about the password field?

FZ
08-20-2004, 11:53 AM
For lack of a better way of saying it, I do think you are wrong :P

Just because the password shows up as "stars" doesn't mean that it is sent in a secure way too. I think the "stars" thing is a browser only feature and is just so that anyone looking over your shoulder can't read your password off the screen. The password itself is probably still sent as clear text, just like everything else on the form!

wildjokerdesign
08-20-2004, 12:23 PM
Thanks Fayez,

I had a feeling I was wrong on that one. :)

FZ
08-20-2004, 01:18 PM
No problem :)

nsc
09-03-2004, 09:48 AM
On my website when I access the Site Manager, my browser reports that the connection is secured with SSL (RC4 128bit). Naturally the password should be send encypted, right?

FZ
09-03-2004, 11:32 AM
Yup... But how did you get it to connect securely - did you explicitly go to https://... or what? By default Site Manager access is not secure.

nsc
09-03-2004, 12:57 PM
I just access the /manager directory of my domain with normal http (no https) and I get redirected to an https: address. This happens both with Firefox and Konqueror on GNU/Linux. I use the Value plan.

FZ
09-03-2004, 01:47 PM
Interesting. My /manager does not send me to a secure login - I have to change it to https:// explicitly. Oh well, I don't mind, the Site Manager is slow enough for me as is, making it secure just slows it down more.

Emby
09-08-2004, 08:01 AM
For what its worth, my manager does come up as secure. That is, I type in http://www...., and it re-directs me to https://... for a login screen. I presume that this encodes my login info via SSL.

When I get to the first screen after that, I simply delete the "s" from https:// in the address bar, and refresh, and this takes me to a non-secure page. Links clicked on from here remain non-secure.

Perhaps WestHost could do this as a default? ie, forward from the secure login page to a non secure page - maybe even offer a check-box on the (secure) login page to choose secure vs. non-secure for subsequent page.

Just my $0.02,

Emby

wildjokerdesign
09-08-2004, 10:08 AM
Sounds like maybe the new default on accounts is secure. nsc and Emby... are your accounts new? I like your idea Emby of haveing the sign-in secure yet then switching back to non-secure. Not sure how easy it would be to code that in to the whole process so it could determin between those who want the entire process secure and those who only want the log-in secure but seems resonable.

Could you two maybe check the file in your cgi-bin that redirects to let us know if perhaps on the lower lines the echo "Location" is set to an https://... url. On my old sites it is set to http://... I didn't really want to name the file but I think you'll be able to find it.

Emby
09-08-2004, 11:14 AM
Yes, the file has "https://..." for the "Location" echo

wildjokerdesign
09-08-2004, 11:36 AM
I had a feeling it did. Looks like WH maybe makeing some changes. It is good to know so others can make the change if they want to although if they are doing it with new accounts I would imagin that they may be adding it to older sites or at least may make a way that folks can opt in to it.

torrin
09-08-2004, 11:37 AM
Sounds like maybe the new default on accounts is secure. nsc and Emby... are your accounts new?

Hmmm . . . it must be really new. I just got my account in the last month and it doesn't redirect to a secure site for login.

Emby
09-08-2004, 12:35 PM
yes, 2 weeks new :-)

nsc
09-08-2004, 05:56 PM
I registered with Westhost on 3rd August 2004 and I have default secure access to Site Manager 2.0.