Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How to protect logon credentials from sniffing

Josef Wagner
Josef Wagner November 5, 2012

I just completed a tcpdump session to find out, how confluence protects credentials (user, password).

I was somewhat shocked, everything is plain text. Which possibilties exist to use confluence outside of he intranet in a professional (safe) way.

Avoid the https hazzle would be great.

Answer
Watch
Like Be the first to like this
786 views

2 answers

1 accepted

1 vote
Answer accepted
Andy Brook [Plugin People]
Andy Brook [Plugin People]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 5, 2012

Well, it would be, thats how forms based auth does, its open to sniffing. However, the days of 'one cable' lan are long gone, an attacker would need to have access to core network infrastructure to do the same, especially true on internal networks.

If you want secure transport layer you need to use SSL, the middle ground may be to adopt a 3rd party single sign on authenticator...

SSL doco is @ https://confluence.atlassian.com/display/JIRA/Running+JIRA+over+SSL+or+HTTPS

Reply
0 votes
VitalyA
VitalyA November 13, 2012

Josef,

There are no alternatives to "plaintext" transmission of user names and passwords, if you are using plain HTTP. Think about it for a second - even if you are encoding passwords in the browser somehow (if this is what you propose), then the encoded value becomes a "plaintext" password accepted by the server. As long as one can sniff your traffic, and you are not re-implementing HTTPS in some way, one can impersonate you.

View More Comments
Andy Brook [Plugin People]
Andy Brook [Plugin People]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 13, 2012

Agree, should also add, the days of a single cable have gone, but wifi is the new weakness, every wifi hotspot is a potential attack point _if_ you are not using ssl...

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events