Submitting Help Ticket And Exposing Password

[dlevens]

Hello everyone, I am sure someone may have asked this question before but I was not able to find anything on it.

 

I submitted my first help ticket and noticed there was a section asking for my cpanel username and my cpanel password.

 

This seems to be security risk, especially since I noticed that the form is not secured with ssl.

 

Is this necessary? I don't like having my cpanel password exposed like that.

 

Dennis Levens

[MikeJ]

Use the SSL link (available from the main website):

 

https://ssl.totalchoicehosting.com/supportdesk/

 

I know the forums link to the nonsecure version of the page, which we should probably change.

[youneverknow]

Yes you REALLY should make that change!!!

youneverknow

[TCH-Dick]

it was changed about 3 hours ago

[youneverknow]

Thanks!!!

Rock Sign

[dlevens]

WOW, you guys really are on top of things. Thanks for making this change.

 

Dennis

[Deverill]

Has anyone ever heard of someone sniffing and reconstructing packets that weren't sent over https? I'm just wondering because a lot of folks worry about it but I've never heard of it myself.

[TCH-Rob]

Jim,

 

Can it happen? Yes. How often? I will let you know after two more lightning strikes and a shark attack.

[MikeJ]

Has anyone ever heard of someone sniffing and reconstructing packets that weren't sent over https? I'm just wondering because a lot of folks worry about it but I've never heard of it myself.

Yes.

[Head Guru]

Yes? Over 128bit SSL?

[MikeJ]

Yes? Over 128bit SSL?

He said weren't.

[Deverill]

Yes, unencrypted. Honestly I don't worry about things, even passwords, sent over the internet because:

1. the packet nature of things makes it a jumble to start with.

2. there's much more chance the guy fulfilling my order will steal my passwords.

3. the #1 cryptographer rule: Any security method is sufficiently safeguarded if the pain of getting the information is greater than the value of the information itself.

 

Basically, 99% of my stuff is not important enough for anyone to bother with #1 and the pain it takes to sniff and reconstruct.

 

If it were locations or codes of nukes or the details of that new patent I'm applying for dealing with "events being announced by sounds stored in small sound files which are played when the event occurs" it would be different.

 

I was just wondering how "real" the threat is for the average Internet user.

[MikeJ]

Well, I don't want to scare anyone, because in the majority of cases, you aren't going to have a problem, but I do want to clarify a couple things.

 

Pulling traffic off a network and making sense of it is extremely easy. It's not as mumbo jumbo as you may think, and there are many tools that will make sense of it for you. Getting onto the network in the first place is the harder part. That would require them to either already be on your network, or gain access to a machine on it.

 

I have seen many cases were this has happened, though. One of the worse is when a company hired me a couple years ago to do some work one weekend. I went on their firewall to change a ruleset, and found that the firewall had been compromised, a sniffer was installed to look for specific data (accounts, passwords, etc...), and the captures were being emailed offsite on a periodic basis so the culprit could parse the data at their leisure. Everything else they left alone so as not to raise any flags.

 

The thing is, in many cases they don't want your account for what's in it... they want your account for what they can do with it (DOS attacks, spamming, anonymous hacking, etc....). So in that sense, your account login *is* valuable to them.

[Deverill]

Then I guess it's a good thing we have the https: address and the link was changed to it so quickly, eh?