Discussion:
howto prevent password sniffing?
(too old to reply)
r***@hotmail.com
2006-12-20 07:54:37 UTC
Permalink
Hi

I have made an application that requests keys from a http service.
I request the keys through https, which I thought was secore enough.
However, a friend of mine could very easily hook on my calls to wininet
API and sniff my passwords before they were encrypted.

I use the following call graph when sending my password (and username)
to the server:
InternetOpen()
InternetConnect()
HttpOpenRequest()
HttpSendRequest()

The problem is that the ssl do the encryption of my data in
HttpSendRequest() and therefore my friend could easily hook up on
HttpOpenRequest() and read my password in clear text before it was
encrypted.

Since this is a standard way of communicating I assume there is a
solution to my problem(?).
Any ideas?

thanks
/ Jonas R
Paul Baker [MVP, Windows - Networking]
2006-12-20 14:11:59 UTC
Permalink
All packets are secure and cannot be interfered with or even recorded and
played back. However, you are right that someone could hook APIs. That's not
really a WinInet question at all. It's the standard question of how not to
get spyware, which is answered in many places elsewhere. Be very careful
what you install, especially if written by a "friend" :)

Paul
Post by r***@hotmail.com
Hi
I have made an application that requests keys from a http service.
I request the keys through https, which I thought was secore enough.
However, a friend of mine could very easily hook on my calls to wininet
API and sniff my passwords before they were encrypted.
I use the following call graph when sending my password (and username)
InternetOpen()
InternetConnect()
HttpOpenRequest()
HttpSendRequest()
The problem is that the ssl do the encryption of my data in
HttpSendRequest() and therefore my friend could easily hook up on
HttpOpenRequest() and read my password in clear text before it was
encrypted.
Since this is a standard way of communicating I assume there is a
solution to my problem(?).
Any ideas?
thanks
/ Jonas R
Vladimir Scherbina
2006-12-20 15:10:23 UTC
Permalink
You can make hooking only under administrator. Administrator is god. There
is nothing to hide from him.
--
Vladimir (Windows SDK MVP)
http://msmvps.com/blogs/v_scherbina/
Post by r***@hotmail.com
Hi
I have made an application that requests keys from a http service.
I request the keys through https, which I thought was secore enough.
However, a friend of mine could very easily hook on my calls to wininet
API and sniff my passwords before they were encrypted.
I use the following call graph when sending my password (and username)
InternetOpen()
InternetConnect()
HttpOpenRequest()
HttpSendRequest()
The problem is that the ssl do the encryption of my data in
HttpSendRequest() and therefore my friend could easily hook up on
HttpOpenRequest() and read my password in clear text before it was
encrypted.
Since this is a standard way of communicating I assume there is a
solution to my problem(?).
Any ideas?
thanks
/ Jonas R
Paul Baker [MVP, Windows - Networking]
2006-12-20 16:06:42 UTC
Permalink
Vladimir,

I think that Users with the "Debug programs" user right, which normally
includes Administrators, get a disabled SeDebugPrivilege privilege which
they can enable with AdjustTokenPrivileges to get full control of all
processes except system ones.

I think that a process can get full control of any other process created by
the same user, even if they are not an administrator.

This is on Windows XP Service Pack 2.

I am pretty sure of this stuff because I wrote software to get call stack, a
list of loaded modules, etc. from a remote process. You can verify some of
this information using Sysinternals Process Explorer.

Paul
Post by Vladimir Scherbina
You can make hooking only under administrator. Administrator is god. There
is nothing to hide from him.
--
Vladimir (Windows SDK MVP)
http://msmvps.com/blogs/v_scherbina/
Post by r***@hotmail.com
Hi
I have made an application that requests keys from a http service.
I request the keys through https, which I thought was secore enough.
However, a friend of mine could very easily hook on my calls to wininet
API and sniff my passwords before they were encrypted.
I use the following call graph when sending my password (and username)
InternetOpen()
InternetConnect()
HttpOpenRequest()
HttpSendRequest()
The problem is that the ssl do the encryption of my data in
HttpSendRequest() and therefore my friend could easily hook up on
HttpOpenRequest() and read my password in clear text before it was
encrypted.
Since this is a standard way of communicating I assume there is a
solution to my problem(?).
Any ideas?
thanks
/ Jonas R
Loading...