Thursday, May 1, 2008

dur, wtf statcounter?

so my buddy and i recently noticed this lameness with statcounter and other sites...

so i do dislike non-ssl stuff in some situations, like when google-ish stuff passes you to cleartext after the login... but at least when you hit the initial google-ish page w/ https, it will generally retain your ssl session past login...

what irks me is that statcounter does the opposite... i hit https://statcounter.com and go to login, and firefox warns that i'm passin creds in cleartext:



so i embarked on testing the stuff in this post, just cause i was curious... i figured others had probably been all over bitching about this type of stupidity, but maybe not...

anywho, so i check the source of the page to see what the form is doing:


and then i tcpdump and sure enough:

(syn)
05:02:34.157286 IP (tos 0x0, ttl 128, id 37627, offset 0, flags [DF], proto TCP (6), length 48) 192.168.13.113.4820 > 67.15.80.69.80: S, cksum 0xb352 (correct), 1179194610:1179194610(0) win 65535
0x0000: 4500 0030 92fb 4000 8006 065f c0a8 0d71 E..0..@...._...q
0x0010: 430f 5045 12d4 0050 4649 14f2 0000 0000 C.PE...PFI......
0x0020: 7002 ffff b352 0000 0204 05b4 0101 0402 p....R..........

(syn-ack)
05:02:34.216816 IP (tos 0x0, ttl 45, id 0, offset 0, flags [DF], proto TCP (6), length 44) 67.15.80.69.80 > 192.168.13.113.4820: S, cksum 0x8e44 (correct), 974121408:974121408(0) ack 1179194611 win 5840
0x0000: 4500 002c 0000 4000 2d06 ec5e 430f 5045 E..,..@.-..^C.PE
0x0010: c0a8 0d71 0050 12d4 3a0f e9c0 4649 14f3 ...q.P..:...FI..
0x0020: 6012 16d0 8e44 0000 0204 0518 0000 `....D........

(ack)
05:02:34.216945 IP (tos 0x0, ttl 128, id 37630, offset 0, flags [DF], proto TCP (6), length 40) 192.168.13.113.4820 > 67.15.80.69.80: ., cksum 0xbc35 (correct), 1:1(0) ack 1 win 65535
0x0000: 4500 0028 92fe 4000 8006 0664 c0a8 0d71 E..(..@....d...q
0x0010: 430f 5045 12d4 0050 4649 14f3 3a0f e9c1 C.PE...PFI..:...
0x0020: 5010 ffff bc35 0000 0000 0000 0000 P....5........

(cleartext-password)
05:02:34.218309 IP (tos 0x0, ttl 128, id 37631, offset 0, flags [DF], proto TCP (6), length 906) 192.168.13.113.4820 > 67.15.80.69.80: P, cksum 0x8c8d (correct), 1:867(866) ack 1 win 65535
0x0000: 4500 038a 92ff 4000 8006 0301 c0a8 0d71 E.....@........q
0x0010: 430f 5045 12d4 0050 4649 14f3 3a0f e9c1 C.PE...PFI..:...
0x0020: 5018 ffff 8c8d 0000 504f 5354 202f 7072 P.......POST./pr
0x0030: 6f6a 6563 742f 2048 5454 502f 312e 310d oject/.HTTP/1.1.
0x0040: 0a48 6f73 743a 206d 7933 2e73 7461 7463 .Host:.my3.statc
0x0050: 6f75 6e74 6572 2e63 6f6d 0d0a 5573 6572 ounter.com..User
0x0060: 2d41 6765 6e74 3a20 4d6f 7a69 6c6c 612f -Agent:.Mozilla/
...
0x02e0: 2530 305a 2539 3925 3043 2543 343b 2073 Z%99%0C%C4;.s
0x02f0: 6573 7369 6f6e 5f32 3034 3630 393d 3132 ession_204609=12
0x0300: 3039 3631 3531 3330 2532 3630 0d0a 436f 09615130%260..Co
0x0310: 6e74 656e 742d 5479 7065 3a20 6170 706c ntent-Type:.appl
0x0320: 6963 6174 696f 6e2f 782d 7777 772d 666f ication/x-www-fo
0x0330: 726d 2d75 726c 656e 636f 6465 640d 0a43 rm-urlencoded..C
0x0340: 6f6e 7465 6e74 2d4c 656e 6774 683a 2035 ontent-Length:.5
0x0350: 330d 0a0d 0a66 6f72 6d5f 7573 6572 3d72 3....form_user=r
0x0360: 776e 696e 2666 6f72 6d5f 7061 7373 3d** wnin&form_pass=*
0x0370: **** **** **** **26 4c4f 4749 4e5f 4255 *******&LOGIN_BU
0x0380: 5454 4f4e 3d4c 4f47 494e TTON=LOGIN

so, do you think ssl is available? well i can telnet to 443 on my3.statcounter.com... let's see:


and what do you know... it logs me in... let's see what tcpdump says... hrmm, lots of ssl foo w/ certs and such, and then lookit:

(the last ssl push)
05:06:01.601591 IP (tos 0x0, ttl 45, id 9839, offset 0, flags [DF], proto TCP (6), length 63) 67.15.80.69.443 > 192.168.13.113.4834: P, cksum 0x4e45 (correct), 5419:5442(23) ack 1125 win 8420
0x0000: 4500 003f 266f 4000 2d06 c5dc 430f 5045 E..?&o@.-...C.PE
0x0010: c0a8 0d71 01bb 12e2 466f 21b9 5f9f 5c66 ...q....Fo!._.\f
0x0020: 5018 20e4 4e45 0000 1503 0100 1243 c1f8 P...NE.......C..
0x0030: cb60 a052 d4d3 28f3 b8fc 1452 214b 64 .`.R..(....R!Kd

(ssl fin)
05:06:01.601659 IP (tos 0x0, ttl 45, id 9841, offset 0, flags [DF], proto TCP (6), length 40) 67.15.80.69.443 > 192.168.13.113.4834: F, cksum 0xf49f (correct), 5442:5442(0) ack 1125 win 8420
0x0000: 4500 0028 2671 4000 2d06 c5f1 430f 5045 E..(&q@.-...C.PE
0x0010: c0a8 0d71 01bb 12e2 466f 21d0 5f9f 5c66 ...q....Fo!._.\f
0x0020: 5011 20e4 f49f 0000 0000 0000 0000 P.............

(ssl ack)
05:06:01.601735 IP (tos 0x0, ttl 128, id 38227, offset 0, flags [DF], proto TCP (6), length 40) 192.168.13.113.4834 > 67.15.80.69.443: ., cksum 0x18ad (correct), 1125:1125(0) ack 5442 win 64727
0x0000: 4500 0028 9553 4000 8006 040f c0a8 0d71 E..(.S@........q
0x0010: 430f 5045 12e2 01bb 5f9f 5c66 466f 21d0 C.PE...._.\fFo!.
0x0020: 5010 fcd7 18ad 0000 0000 0000 0000 P.............

(ssl ack-ack)
05:06:01.601803 IP (tos 0x0, ttl 128, id 38228, offset 0, flags [DF], proto TCP (6), length 40) 192.168.13.113.4834 > 67.15.80.69.443: ., cksum 0x18ac (correct), 1125:1125(0) ack 5443 win 64727
0x0000: 4500 0028 9554 4000 8006 040e c0a8 0d71 E..(.T@........q
0x0010: 430f 5045 12e2 01bb 5f9f 5c66 466f 21d1 C.PE...._.\fFo!.
0x0020: 5010 fcd7 18ac 0000 0000 0000 0000 P.............

(cleartext syn)
05:06:01.763055 IP (tos 0x0, ttl 128, id 38257, offset 0, flags [DF], proto TCP (6), length 48) 192.168.13.113.4836 > 70.85.96.58.80: S, cksum 0xdac5 (correct), 1060888897:1060888897(0) win 65535
0x0000: 4500 0030 9571 4000 8006 f0ad c0a8 0d71 E..0.q@........q
0x0010: 4655 603a 12e4 0050 3f3b e141 0000 0000 FU`:...P?;.A....
0x0020: 7002 ffff dac5 0000 0204 05b4 0101 0402 p...............

(cleartext syn-ack)
05:06:01.805390 IP (tos 0x0, ttl 46, id 0, offset 0, flags [DF], proto TCP (6), length 44) 70.85.96.58.80 > 192.168.13.113.4836: S, cksum 0x8285 (correct), 1186140239:1186140239(0) ack 1060888898 win 5840
0x0000: 4500 002c 0000 4000 2e06 d823 4655 603a E..,..@....#FU`:
0x0010: c0a8 0d71 0050 12e4 46b3 104f 3f3b e142 ...q.P..F..O?;.B
0x0020: 6012 16d0 8285 0000 0204 0518 0000 `.............

(cleartext ack)
05:06:01.805390 IP (tos 0x0, ttl 128, id 38258, offset 0, flags [DF], proto TCP (6), length 40) 192.168.13.113.4836 > 70.85.96.58.80: ., cksum 0xb076 (correct), 1:1(0) ack 1 win 65535
0x0000: 4500 0028 9572 4000 8006 f0b4 c0a8 0d71 E..(.r@........q
0x0010: 4655 603a 12e4 0050 3f3b e142 46b3 1050 FU`:...P?;.BF..P
0x0020: 5010 ffff b076 0000 0000 0000 0000 P....v........

(cleartext post-login page)
05:06:01.815469 IP (tos 0x0, ttl 128, id 38259, offset 0, flags [DF], proto TCP (6), length 763) 192.168.13.113.4836 > 70.85.96.58.80: P, cksum 0xa53a (correct), 1:724(723) ack 1 win 65535
0x0000: 4500 02fb 9573 4000 8006 ede0 c0a8 0d71 E....s@........q
0x0010: 4655 603a 12e4 0050 3f3b e142 46b3 1050 FU`:...P?;.BF..P
0x0020: 5018 ffff a53a 0000 4745 5420 2f70 726f P....:..GET./pro
0x0030: 6a65 6374 2f3f 6163 636f 756e 745f 6964 ject/?account_id
0x0040: 3d32 3034 3238 3330 266c 6f67 696e 5f69 =2042830&login_i
0x0050: 643d 3226 636f 6465 3d38 3033 6333 3939 d=2&code=803c399
0x0060: 3430 3261 3633 6363 3833 3966 3238 6336 402a63cc839f28c6
0x0070: 3564 6162 6262 6432 3026 2048 5454 502f 5dabbbd20&.HTTP/

so yea, statcounter is completely set up and ready to process your logins securely, they'd just rather save that one extra 's' they'd have to gen from their php source to crypt it... so maybe their admins thing they are wicked cool b/c they're still running leet apache 1.3.37, but they should remember they're also running mod_ssl 2.8.28... and use it... by default...

scuse me, mr ranum sir... can not using crypto for passwords when you have crypto available be the 7th dumbest thing in security? ;)


No comments: