[wellylug] basic https question

Mark Signal mark at databackup.co.nz
Mon Dec 20 15:37:34 NZDT 2004 

 yes it all makes sense.

I have a web server that clients download ssh keys  from a password 
protected web directory  using wget. I was simply wondering whether I 
would significantly improve the security by changing the connection from 
http to https. The keys themselves are useless without other info which 
does not live on that server.

If the ISP (who hosts the web site) charges for changing this directory 
over to HTTPS are reasonable I will do it anyway but I get the feeling 
from what you are saying that in the real world someone would have to be 
pretty skilled and pretty patient to pick up any useful information from 
the data streams. Given the 'switched' nature of the Internet it sounds 
unlikely that I should loose much sleep over it.

thanks for your responses


Geraint Jones wrote:

>Depends what you mean by "capturing" if said hacker has root access to
>your server then there is little point in them capturing anything, and
>if they don't and are trying to capture the stuff by packet sniffing
>then its possible but there are many far easier ways to do it.
>
>in order to sniff your packets the hacker would need either to have root
>access to one of the routers your traffic travels across or be
>physically patched into your network link. Both of which are in the
>realms of possibility but are not easy to acheve.
>
>A lot of noise is made about packet sniffing/capturing but it is only a
>problem on LAN's that or not switched, as a switch will connect point A
>to point B directly, so point C cannot capture packets destined for
>point B. However a hub broadcasts the packets and the appropriate target
>is the only one that replies so anyone can capture the frames. In saying
>that the amount of frames generated and broadcast on the average LAN is
>rather a lot, so yes it can be done, but unless you have a huge amount
>of time to find just one or two frames it is pointless.
>
>I hope my rambling makes sense
>
>Geraint Jones
>Systems Administrator
>French Maid Foods Limited
>www.french-maid.net
> 
>Tel:  +64 (0)4 568 2687
>Fax:  +64 (0)4 568 2345
>Mob: +64 (0)21 739 240
>
>-----Original Message-----
>From: wellylug-admin at lists.wellylug.org.nz
>[mailto:wellylug-admin at lists.wellylug.org.nz] On Behalf Of Mark Signal
>Sent: Monday, 20 December 2004 3:09 p.m.
>To: wellylug at lists.wellylug.org.nz
>Subject: Re: [wellylug] basic https question
>
>thanks for the answer
>
>in the "real" world is capturing/scanning of http data looking for 
>usernames and passwords actually a common hacker activity or is it just 
>a "potential" problem ?
>
>cheers
>
>Mark
>
>
>
>Geraint Jones wrote:
>
>  
>
>>Yes, https encrypts before it asks for user/pass AFAIK
>>
>>Geraint Jones
>>Systems Administrator
>>French Maid Foods Limited
>>www.french-maid.net
>>
>>Tel:  +64 (0)4 568 2687
>>Fax:  +64 (0)4 568 2345
>>Mob: +64 (0)21 739 240
>>
>>-----Original Message-----
>>From: wellylug-admin at lists.wellylug.org.nz
>>[mailto:wellylug-admin at lists.wellylug.org.nz] On Behalf Of Mark Signal
>>Sent: Monday, 20 December 2004 2:46 p.m.
>>To: Wellylug
>>Subject: [wellylug] basic https question
>>
>>If I use wget to download a file from a password protected https 
>>directory is the username and password  encrypted?
>>
>>cheers
>>
>>Mark
>>
>>
>> 
>>
>>    
>>
>
>
>  
>

More information about the wellylug mailing list