Tests of the use of encrypted channels to transmit passwords and sensitive data.

All sensitive data such as passwords, logins or credit card numbers should be sent via an encrypted channel between the client and the server. This protects the user from aman in the midle attack,where the attacker is pinned to the communication between the user and the network they are currently using. It has access to all information transmitted by the victim and is therefore able to intercept, modify or destroy it in the case of unencrypted data. Therefore, appropriate safeguards are required to protect the transmitted data. The information administrator should decide for himself or herself what type of protection to apply. This can be an SSL/TLS dataencryption protocol, as well as another cryptographic protection measure, such as email encryption and recipient's public key. The image below shows a view of a captured unencrypted packet containing the credentials of a network traffic eavesdropping program. Intercepted unencrypted packet containing credentials

Figure. Captured an unencrypted packet containing credentials. Source: [Own study]

In one of the applications tested, communication with the server was using HTTP, which is not encrypted. All data transmitted by such a channel can be intercepted and modified during transmission. The graphic below shows a view of the message that firefox is not encryption. View message that there is no encryption from Firefox

Figure. View a message that there is no encryption from Firefox. Source: [Own study]

Chcesz wiedzieć więcej?

Zapisz się i bądź informowany o nowych postach (zero spamu!). Dodatkowo otrzymasz, moją prywatną listę 15 najbardziej przydatnych narzędzi (wraz z krótkim opisem), których używam przy testach penetracyjnych.

Nigdy nie podam, nie wymienię ani nie sprzedam Twojego adresu e-mail. W każdej chwili możesz zrezygnować z subskrypcji.

Bookmark the permalink.

Share your opinion about the article.