This is from another client that is using incorrect authentication
in the clear. The original developer thought this would be good enough to use
BASE64 https://en.wikipedia.org/wiki/Binary-to-text_encoding
, but the problem is the following, it is in the clear, any hacker that has
basic understanding of computer binary to ASCII can convert this back. As this
is not encryption
The other problem with this system, they didn’t employ
correct SSL encryption.
So now they have 2 options:
- Correctly encrypt the message. Use a AES key
- Or keep the same system and encrypt the TCP request to the server using SSL.
Best practice would be to Encrypt the Steam via SSL as this
would also protect against other identifying information of this system.
Below is the example of the intercepted http stream:
GET “/clients/aug-2012/CLIENTDATA.pdf” HTTP/1.1
Host: “serverhostedbytheclient.com”
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0)
Gecko/20100101 Firefox/31.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=
The reality is a large number of providers are still using
this. As some systems have been in place since the early 1990s.
No comments:
Post a Comment