Playing with Wireshark

CheesewaffleCheesewaffle Member Posts: 20 ■□□□□□□□□□
Hi Guys,

I have been playing with Wireshark recently.

I realised that facebook is HTTP not HTTPS, so I decided to do a test, whilst running Wireshark on my laptop I logged into facebook. However when I looked through the capture I could not see my username and password.

I was wondering why I couldnt see this, although I was using HTTP which is not encrypted. I could see things like the website name in the capture.

Cheers

Comments

  • tierstentiersten Member Posts: 4,505
  • veritas_libertasveritas_libertas CISSP, GIAC x5, CompTIA x5 Greenville, SC USAMember Posts: 5,738 ■■■■■■■■■■
    I honestly wish the whole web site was HTTPS.

    On a side note, did you try capturing Facebook chat? I have been wondering if that was encrypted. Haven't tried.
    Currently working on: Linux and Python
  • tierstentiersten Member Posts: 4,505
    I honestly wish the whole web site was HTTPS.
    Would be nice. Same reason as to why gmail until recently didn't default to SSL encrypted connections though. Its easier on their servers.
    On a side note, did you try capturing Facebook chat? I have been wondering if that was encrypted. Haven't tried.
    Nope
  • CheesewaffleCheesewaffle Member Posts: 20 ■□□□□□□□□□
    tiersten wrote: »
    From the login page:

    form method="POST" action="https://login.facebook.com/login.php?login_attempt=1"

    When I do it it uses the get method, not post... hmmm
  • tierstentiersten Member Posts: 4,505
    When I do it it uses the get method, not post... hmmm
    It would be unusual and insecure to have a login system that uses HTTP GET. You'll have to look at the logs to see what its doing. It uses HTTPS POST to that login server when I look at the Facebook main page.
  • CheesewaffleCheesewaffle Member Posts: 20 ■□□□□□□□□□
    Its using HTTP and get for me... Any ideas?
  • tierstentiersten Member Posts: 4,505
    Its using HTTP and get for me... Any ideas?
    The login page or the actual form submission? It does a HTTPS POST when I look at it in my browser and in Google's cache of the facebook.com main page.
  • CheesewaffleCheesewaffle Member Posts: 20 ■□□□□□□□□□
    I go to Welcome to Facebook | Facebook

    Then I start up wireshark

    I put in my username and password and the only piece of HTTP traffic I see is a Get request...

    However I have just had a second look and I see a bit of TLS activity prior to he Get request, so maybe this is the password exchange? Confusing though as I didnt think HTTP used TLs.
  • tierstentiersten Member Posts: 4,505
    However I have just had a second look and I see a bit of TLS activity prior to he Get request, so maybe this is the password exchange?
    The GET request you see is your browser loading the logged in page of Facebook or the redirection page that bounces you to the logged in page. The encrypted part is the POST form submission of your username and password to the Facebook login server.

    Examine the Wireshark **** more closely. You should see it opening a connection to login.facebook.com using HTTPS and it sending then receiving a small amount of data. It should then make new connections to other Facebook servers without encryption and start the process of loading up your logged in page.
    Confusing though as I didnt think HTTP used TLs.
    It doesn't.
  • CheesewaffleCheesewaffle Member Posts: 20 ■□□□□□□□□□
    Brilliant, Cheers.

    After a closer inspection,
    Wireshark never displayed HTTPS in the protocol field as such, it displays TLSv1 with a destination port of 443 :) Which is HTTPS.

    I can sleep now, Thanks
Sign In or Register to comment.