Re: https-Question

From: Wilhelm Kutting <wkutting@xxxxxxxx>
Date: Fri, 14 Jul 2006 11:43:44 +0200

Nikita the Spider schrieb:

In article <e95k2m$66q$1@xxxxxxxxxxxxxxxxxxxxxxxxx>,
Wilhelm Kutting <wkutting@xxxxxxxx> wrote:

Hello, i got a little understanding Problem.
on some http-Sites i can log into my Account with Name/Passwort.
The Form-Login-Page ist only http with form action directing to a "secure" https page.
So - in my understanding the username and password is send uncrypted over the Net.
Only the later Communication is done secure.

Am i right that only a https login-Form-page would be safe?

Wilhelm,
Basically, yes.

HTTP = not secure, name and password sent without encryption

HTTPS = secure, name and password sent encrypted

Hope this helps

So if the loginform is http, the username and password is send via cleartext.

So the login on this page is totally dumb:
http://www.aerzteblatt.de/cme/

They offer both login over http and https and the result is the Same: Clear Username and clear password

This is not the only page where i saw such a thing.
i don't understand the misleading of users...
.

Follow-Ups:
- Re: https-Question
  - From: Sherm Pendley
- Re: https-Question
  - From: Bert Lancaster
- Re: https-Question
  - From: Chris Morris

References:
- https-Question
  - From: Wilhelm Kutting
- Re: https-Question
  - From: Nikita the Spider

Prev by Date: Picker (Ajax?)
Next by Date: Re: https-Question
Previous by thread: Re: https-Question
Next by thread: Re: https-Question
Index(es):
- Date
- Thread

Relevant Pages

Re: is that a good offer for a server installation?
... SO linux based upon kernel 2.6xx ... installation of cwfm (a software that manages files, at first I believed that should be created by them, but then I found out to be free on the net http://cwfm.sourceforge.net) upload and download are managed via http ... they told him that ftp is not secure for this and their program is based ... they use a https connection then it should be secure enough. ...
(comp.infosystems.www.servers.unix)
Re: Encrypted or Not Encrypted
... Optimally they should enter their creds after ssl has setup the secure session, ... The handshake requires that the client initiate the SSL connection. ... The agent acting as the HTTP client should also act as the TLS ...
(Security-Basics)
Re: Basic password security question
... Look at the pages - they never post that form over HTTP - usually the login form posts to an HTTPS address.... ... You need SSL - and if you have it for the rest of your site, why not for you login page too? ... Developing More Secure Microsoft ASP.NET 2.0 Applications ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: From http:// to https://
... > I have a login page that is secured with SSL and other non secure pages ... As Server.Transefer or response.redirect takes http by default. ... > standard method to transefer pages from normal to SSL page and vice versa. ...
(microsoft.public.dotnet.framework.aspnet)
Re: RESTful web service database
... I am developping an application for Android and I need a web service ... The username and login would be saved in a ... HTTP request when i pres the login button for example? ...
(comp.lang.java.databases)