Lesson Plan Title:Insecure Login

Concept / Topic To Teach:
Sensitive data should never sent in plaintext! Often applications switch to a secure connection after the authorization. An attacker could just sniff the login and use the gathered information to break into an account. A good webapplication always takes care of encrypting sensitive data.

General Goal(s):
See how easy it is to sniff a password in plaintext.
Understand the advantages of encrypting the login data!

This lesson has two stages. In the first stage you try to sniff a password which is sent in plaintext. In the second stage you try the same but on a secure connection.

You need a client server setup for this lesson. Please refer to the Tomcat Setup in the Introduction section.

Start a sniffer. If you do not have one we recommend wireshark, which is free: Wireshark. Make sure you are capturing on the right interface. Click on the submit button ans stop the capturing. Now analyze the captured data.

Figure 1: Sniffed Traffic

As you can see we are interested in the HTTP Post request as the password is transmitted there. The field for the password has the name clear_pass and has as value sniffy. Of course this is also the correct answer and you are done with stage 1.

Now you have to switch to a secure connection. You archive this by changing the URL from http://... to https://... Sniff again the traffic as you have done in stage 1. As you will see there is not sent the password in plaintext. The server communicates with the application over a secure layer the so called Transport Layer Security (TLS) also called Secure Socket Layer (SSL). TLS is a hybrid encrypting protocol. A master secret is built to communicate. This master secret is built by using SHA-1 and MD5. All traffic between the Server and the Cleint is encrypted.