Re: https-Question

On Fri, 14 Jul 2006 10:43:44 +0100, Wilhelm Kutting <wkutting@xxxxxxxx> wrote:

HTTP = not secure, name and password sent without encryption
HTTPS = secure, name and password sent encrypted
Hope this helps

So if the loginform is http, the username and password is send via cleartext.

No, the statement you were replying to is incorrect.

If the form is submitted to a HTTPS address (or a HTTP address that set to use SSL/TLS) then the form data will arrive securely, but there is another issue with using insecure login pages like this.

How do you know what data is being sent there securely, and what else is being sent to other addresses? By using an insecure login page, or by including insecure elements inside an HTTPS page (javascripts, iframes, etc), you make it possible for the login page to be tampered with by third parties. Malicious Javascript could be inserted to read users' login credentials when they submit the form, and this could then be sent elsewhere just before they go to the real login page. Or they could divert the form submission to a page of their own (such as a fake site to try and get more information - "Important message from your friendly service provider - Your credit card information is now out of date, please <a...>update it now</a> to avoid problems, thank you.")

It's good practice to have both the login page and the page you submit to fully secure (with everything in that page sent over HTTP from the same server - including the Javascripts, images and even any adverts!). Some sites don't like doing this because HTTPS pages use more server resources and all the hits from random passers-by can increase the load, but in an age where phising scams and identity theft are rife, everyone should be doing it regardless.

Security is only as good as the weakest link in the chain, and an insecure login page is open to attack just as much as any other insecure page. Wherever your password and username end up, remember that they're typed into that insecure page first.
.

Relevant Pages

  • LOGIN INFO secure at wwww.americanexpress.CA?
    ... secure page which causes the lock symbol to be displayed in the status ... That is the difference which caused the login page ... even though the page itself is not https. ... of a lock in the login region. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: Secure Login Form
    ... HTTPS should definitely be used, this web form isn't secure otherwise ... I'd recommend php, as it's server side so you are processing ... login form. ...
    (Security-Basics)
  • Re: Passing data from a http page to https page. Is it secure?
    ... Theoretically, yes, it's secure. ... https to begin with. ... Yahoo Login page has 2 modes Standard and Secure. ... > standard mode the login page was an http one, but the data is being posted ...
    (microsoft.public.vsnet.general)
  • Re: is this webpage secure?
    ... >> I am told by people in charge at the campus where I teach that this login ... >> page is secure, that the form login info is secure ... | via ssl, port 443). ... I just used Ethereal and the packet decode does show https to 199.17.13.240 ...
    (alt.computer.security)
  • Re: is this webpage secure?
    ... >> I am told by people in charge at the campus where I teach that this login ... >> page is secure, that the form login info is secure ... | via ssl, port 443). ... I just used Ethereal and the packet decode does show https to 199.17.13.240 ...
    (comp.os.linux.security)