The HTTP protocol includes encryption features, such as “Basic HTTP Authentication” and “Digest HTTP Authentication”, which are well supported by current browsers. Using either, every time you log your browser into a website with a username & password, the browser stores three pieces of information: the site’s hostname, your username, and your password. From then on, until you quit your browser, every time you visit any page on that site, your browser sends that username & password to the server. This is the same via both HTTP & HTTPS, but doesn’t apply to custom login code, such as forms and cookies; normally the easiest way to recognize Basic or Digest authentication is the separate window that pops up over the web page, prompting for username and password, and possibly “realm”; if it has logos or is inside a web page, it isn’t basic or digest authentication.

There are a lot of tricks, including scripting techniques to grab passwords from other sites, or fool a password manager (built into the browser or a separate program) into providing a password with little or no human confirmation, but it’s simply not possible to completely prevent people from sending their passwords for any site to ‘rogue’ pages on the same. In the simplest case, someone could copy the official Site X login page, make a private copy, and store the passwords entered or send them to a remote server. For bonus points, forward the credentials to the real login page, so the user gets logged in successfully and doesn’t notice anything is wrong.

For a long and interesting review of the issues, see the Firefox bug for a specific MySpace password capturing attack: https://bugzilla.mozilla.org/show_bug.cgi?id=360493. A shorter page by the original reporter is at http://www.info-svc.com/news/11-21-2006/. Note how difficult it is to solve a specific problem in a specific browser, and keep in mind that many browsers are in use (Firefox, IE6, IE7, Safari, Opera, Lynx, Konqueror, Nokia’s new browser, IE Mobile, the Palm browser, etc.). There will always be attacks that get past many of these browsers – the possibilities are too wide open, and there’s too much human desire for quick and convenient access to the web (otherwise password managers wouldn’t exist, and we’d use a different password for every site).

The same issues apply to cookies, although they are more flexible and thus more complicated.

Share: