Standard FTP sends passwords in the clear, basic HTTP authentication sends user names and passwords in the clear with each request and having a cookie “remember me” token or session ID via HTTP (not HTTPS) gets sent with every request.
Assuming someone is not on public wi-fi/open wi-fi, is using their own password-protected wi-fi or have plugged in an ethernet cable, really, how likely is it unencrypted sensitive information like FTP or CMS credentials are packet-sniffed?
After reading that HTTP 2 will have TLS built in it made me think about all the sites I’ve worked on and come across, particularly CMSs, that have logins and remember me cookies done over HTTP. Although I now use FTP SSL where I can, I have used FTP for years and have never had a problem.
What are your thoughts? I look forward to HTTP 2 but feel that unless you’re taking credit cards or something equally sensitive, unencrypted web traffic likely won’t cause you issues.
It all depends on how many servers have been compromised by having packet sniffers installed on them. That in turn depends on the security installed on the servers to prevent that from happening.
Given the high number of sites written by people who don’t have a clue about security, even with all the security the hosting providers install a percentage of the sites they host will be able to be compromised in some way.
Once they manage to capture some userids and passwords that way they can then try them on other sites.
This is probably the easiest way for them to break into people’s bank accounts - users who know nothing about security using the same login on sites that know noting about security using the same password there as they do with their bank.
It all depends on how many servers have been compromised by having packet sniffers installed on them.
Would this require the server being hacked first? If so, I would’ve thought so long as your hosting company is decent this is unlikely.
Given the high number of sites written by people who don’t have a clue about security
What are you referring to specifically? Not using HTTPS or just badly written code?
This is probably the easiest way for them to break into people’s bank accounts
Absolutely. My bank login requires I generate a number using a calculator-type device owned only by me so if someone got my password they still wouldn’t be able to login. I guess they started doing that for precisely the reasons you mention.
As an aside, when do you think hosting companies offering HTTP 2 will be commonplace? Are we years off?