We recently had some senior staff order a 3rd party security audit and the Composite Login web service came up.
The Observation made:
Transmitting authentication credentials over unencrypted channels can expose those credentials to eavesdropping attackers. It is trivial for attackers to "sniff" authentication credentials sent over unencrypted networks such as public Wi-Fi networks. Exposed credentials can allow attackers to access user accounts to steal data or perform malicious actions.
http://our-site.com/Composite/services/Login/Login.asmx ( from /Composite/top.aspx )
Recommendations
Only allow encrypted traffic (HTTPS/SSL) to web sites that require authentication. Never mix HTTP and HTTPS traffic since there is potential to leak sensitive information like session identifiers over the HTTP connections
MY QUESTION:
Is this something that I have to be concerned with? As I understand it, it's basically saying that if you log into your website in an internet café, credentials could be sniffed, which makes sense.
To implement this with Composite, do I need to put the whole site behind HTTPS, or is it possible to split the site?
The Observation made:
Transmitting authentication credentials over unencrypted channels can expose those credentials to eavesdropping attackers. It is trivial for attackers to "sniff" authentication credentials sent over unencrypted networks such as public Wi-Fi networks. Exposed credentials can allow attackers to access user accounts to steal data or perform malicious actions.
http://our-site.com/Composite/services/Login/Login.asmx ( from /Composite/top.aspx )
Recommendations
Only allow encrypted traffic (HTTPS/SSL) to web sites that require authentication. Never mix HTTP and HTTPS traffic since there is potential to leak sensitive information like session identifiers over the HTTP connections
MY QUESTION:
Is this something that I have to be concerned with? As I understand it, it's basically saying that if you log into your website in an internet café, credentials could be sniffed, which makes sense.
To implement this with Composite, do I need to put the whole site behind HTTPS, or is it possible to split the site?