Re: https-Question

From: Chris Morris <c.i.morris@xxxxxxxxxxxx>
Date: 14 Jul 2006 10:50:34 +0100

Wilhelm Kutting <wkutting@xxxxxxxx> writes:

Nikita the Spider schrieb:

Wilhelm,
Basically, yes.
HTTP = not secure, name and password sent without encryption
HTTPS = secure, name and password sent encrypted
Hope this helps

So if the loginform is http, the username and password is send via
cleartext.

The protocol used to *retrieve* the form only affects the protocol
used to *submit* the form if a relative URL is used for the form action.

<form action='https://www.example.com/' method='post'> (absolute URL)
will *always* submit securely whether the page with the form on was
retrieved via http or https (or even file, ftp, or other less likely
protocols)

<form action='/login' method='post'> (relative URL)
on the other hand will use whatever protocol was used to load the page
to submit the form.

--
Chris
.

References:
- https-Question
  - From: Wilhelm Kutting
- Re: https-Question
  - From: Nikita the Spider
- Re: https-Question
  - From: Wilhelm Kutting

Prev by Date: Re: https-Question
Next by Date: Re: https-Question
Previous by thread: Re: https-Question
Next by thread: Re: https-Question
Index(es):
- Date
- Thread

Relevant Pages

Re: is that a good offer for a server installation?
... SO linux based upon kernel 2.6xx ... installation of cwfm (a software that manages files, at first I believed that should be created by them, but then I found out to be free on the net http://cwfm.sourceforge.net) upload and download are managed via http ... they told him that ftp is not secure for this and their program is based ... they use a https connection then it should be secure enough. ...
(comp.infosystems.www.servers.unix)
Re: Encrypted or Not Encrypted
... Optimally they should enter their creds after ssl has setup the secure session, ... The handshake requires that the client initiate the SSL connection. ... The agent acting as the HTTP client should also act as the TLS ...
(Security-Basics)
Re: Help, my machine has been hacked
... > being used to perform port scans on a bank. ... > closed HTTP) ... > DSLReports and they all report that my machine is secure. ... > 4) Recommendations for a hardware firewall? ...
(comp.os.linux.security)
Re: Rule Schedule
... possible to restrict HTTP & HTTPS traffic to use only webproxy and not ... Deny Yahoo ... Deny MSN ... the secure nat session established during the allowed ...
(microsoft.public.isa)
Re: Cain & Able man in the middle attack
... successful I now need to secure my self against these attacks but how ... what http and ftp passwords are crossing ... Need to secure your web apps NOW? ...
(Pen-Test)