|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Is posting from http to https secure?Hi just a quick question.
I have a webpage which sits at a http address. This page accespts a username and password from the user and then posts this information to an https (secure) page. Is this secure? Does it matter that the initial page is not https? Will the data be sent encrypted or should i make my first page run over https as well? Thanks for your help. Lee The POST'd form data will be transmitted securely over HTTPS.
Whether this scheme is secure... it depends on the custom forms authentication protocol. For example, if the user mistypes the password, will the access-denied message redirect any user information back to the user over HTTP? Oops, that just disclosed sensitive information in the error scenario - classic code bug. If you are in doubt, transmit all data associated with the user login over HTTPS to be safe. If you control what is going on, you can appropriately optimize. //David w3-4u.blogspot.com // leejtur***@gmail.com wrote: Show quoteHide quote > Hi just a quick question. > > I have a webpage which sits at a http address. This page accespts a > username and password from the user and then posts this information to > an https (secure) page. Is this secure? Does it matter that the initial > page is not https? Will the data be sent encrypted or should i make my > first page run over https as well? > > Thanks for your help. > > Lee Thanks David,
that makes sense. In my case if a username or password is incorrect then an error code is sent back to the unsecured page and an access denied message is displayed. It really doesn't matter if this code is insecure as it bears no relation to any user details etc. Thankyou for taking the time to reply. Lee David Wang wrote: Show quoteHide quote > The POST'd form data will be transmitted securely over HTTPS. > > Whether this scheme is secure... it depends on the custom forms > authentication protocol. > > For example, if the user mistypes the password, will the access-denied > message redirect any user information back to the user over HTTP? Oops, > that just disclosed sensitive information in the error scenario - > classic code bug. > > If you are in doubt, transmit all data associated with the user login > over HTTPS to be safe. If you control what is going on, you can > appropriately optimize. > > //David > w3-4u.blogspot.com > // > > leejtur***@gmail.com wrote: > > Hi just a quick question. > > > > I have a webpage which sits at a http address. This page accespts a > > username and password from the user and then posts this information to > > an https (secure) page. Is this secure? Does it matter that the initial > > page is not https? Will the data be sent encrypted or should i make my > > first page run over https as well? > > > > Thanks for your help. > > > > Lee Note there are other good reasons to make the form itself (pre-post command)
secured. Having the form itself in HTTPS mode helps prevent someone from spoofing your site (phishing) to capture the user/pass before login. The risk is small though, especially if you don't have financial stuff behind there and don't have a large userbase. <leejtur***@gmail.com> wrote in message Show quoteHide quote news:1160571871.462309.17210@m7g2000cwm.googlegroups.com... > Thanks David, > > that makes sense. In my case if a username or password is incorrect > then an error code is sent back to the unsecured page and an access > denied message is displayed. It really doesn't matter if this code is > insecure as it bears no relation to any user details etc. > > Thankyou for taking the time to reply. > > Lee > > David Wang wrote: >> The POST'd form data will be transmitted securely over HTTPS. >> >> Whether this scheme is secure... it depends on the custom forms >> authentication protocol. >> >> For example, if the user mistypes the password, will the access-denied >> message redirect any user information back to the user over HTTP? Oops, >> that just disclosed sensitive information in the error scenario - >> classic code bug. >> >> If you are in doubt, transmit all data associated with the user login >> over HTTPS to be safe. If you control what is going on, you can >> appropriately optimize. >> >> //David >> w3-4u.blogspot.com >> // >> >> leejtur***@gmail.com wrote: >> > Hi just a quick question. >> > >> > I have a webpage which sits at a http address. This page accespts a >> > username and password from the user and then posts this information to >> > an https (secure) page. Is this secure? Does it matter that the initial >> > page is not https? Will the data be sent encrypted or should i make my >> > first page run over https as well? >> > >> > Thanks for your help. >> > >> > Lee > I agree with David's reply.
I have also seen some cases to which his reply does not speak however, hence this added info. Just because you end up at an https page does not necessarily mean that the posting was secured with SSL (https). What you need to do is look at the html for the posting action (ex. use View Source and search on the text shown in the login box). The posting action in the Form field for that input box (username and password) unusually will be seen to be https. However, it can be http and the redirect that takes place on the server as part of the login could still send you to an https page after the login, so it can "look" like everything was https when in fact it is not. When not it is plain sloppy webcoding, but I have seen some places where this slipped past. Roger <leejtur***@gmail.com> wrote in message Show quoteHide quote news:1160563648.019675.248650@k70g2000cwa.googlegroups.com... > Hi just a quick question. > > I have a webpage which sits at a http address. This page accespts a > username and password from the user and then posts this information to > an https (secure) page. Is this secure? Does it matter that the initial > page is not https? Will the data be sent encrypted or should i make my > first page run over https as well? > > Thanks for your help. > > Lee > Yup, absolutely. When talking about a login form, there are two
independent events happening. Event#1: First is the retrieval of the login form initiated by the www client, usually in direct proxy of a user typing/entering in the URL Address bar or clicking on the link. The www server responds over that same channel with the contents of the login form. Event#2: Then there is the retrieval/posting of the login form (depends on the ACTION defined for the form) initiated by the www client, usually in direct proxy of a user clicking the "submit" button. The www server processes the request (such as validate the username/password sent by the form) and returns an appropriate response over the same channel as the retrieval/posting. You asked if Event#1 over HTTP implies anything about Event#2 over HTTPS, and the answer is no. Roger pointed out that Event#1 over HTTPS implies NOTHING about Event#2. Just because Event#1 is over HTTPS does not mean Event#2 is also over HTTPS, and there are plenty of anecdotal "oops" evidence. I pointed out that if you are paranoid, make Event#1 and Event#2 both over HTTPS. //David http://w3-4u.blogspot.com // Roger Abell [MVP] wrote: Show quoteHide quote > I agree with David's reply. > > I have also seen some cases to which his reply > does not speak however, hence this added info. > Just because you end up at an https page does > not necessarily mean that the posting was secured > with SSL (https). > > What you need to do is look at the html for the > posting action (ex. use View Source and search > on the text shown in the login box). The posting > action in the Form field for that input box (username > and password) unusually will be seen to be https. > > However, it can be http and the redirect that takes > place on the server as part of the login could still > send you to an https page after the login, so it can > "look" like everything was https when in fact it is not. > When not it is plain sloppy webcoding, but I have seen > some places where this slipped past. > > Roger > > <leejtur***@gmail.com> wrote in message > news:1160563648.019675.248650@k70g2000cwa.googlegroups.com... > > Hi just a quick question. > > > > I have a webpage which sits at a http address. This page accespts a > > username and password from the user and then posts this information to > > an https (secure) page. Is this secure? Does it matter that the initial > > page is not https? Will the data be sent encrypted or should i make my > > first page run over https as well? > > > > Thanks for your help. > > > > Lee > > I wish one come make the browser display a little
lock icon on submit buttons (however labelled) to make it very plain if the submit is or is not https. <leejtur***@gmail.com> wrote in message Show quoteHide quote news:1160743717.241089.207570@m73g2000cwd.googlegroups.com... > Thanks so much guys thats some really useful info. > For IE7, I would make the wish on the IE Team Blog (
http://blogs.msdn.com/IE/ ) as they go through the security sweeps. I realize that this does not take care of the custom submit graphics, but in those cases the user is responsible for proper labeling... //David http://w3-4u.blogspot.com // Roger Abell [MVP] wrote: Show quoteHide quote > I wish one come make the browser display a little > lock icon on submit buttons (however labelled) to > make it very plain if the submit is or is not https. > > <leejtur***@gmail.com> wrote in message > news:1160743717.241089.207570@m73g2000cwd.googlegroups.com... > > Thanks so much guys thats some really useful info. > > Well, it is a little late of IE 7 rtw . . .
Good idea though David Roger Show quoteHide quote "David Wang" <w3.4***@gmail.com> wrote in message news:1160886521.655772.62630@m7g2000cwm.googlegroups.com... > For IE7, I would make the wish on the IE Team Blog ( > http://blogs.msdn.com/IE/ ) as they go through the security sweeps. I > realize that this does not take care of the custom submit graphics, but > in those cases the user is responsible for proper labeling... > > > //David > http://w3-4u.blogspot.com > // > > Roger Abell [MVP] wrote: >> I wish one come make the browser display a little >> lock icon on submit buttons (however labelled) to >> make it very plain if the submit is or is not https. >> >> <leejtur***@gmail.com> wrote in message >> news:1160743717.241089.207570@m73g2000cwd.googlegroups.com... >> > Thanks so much guys thats some really useful info. >> > > When I get ready to input my username and password on a web page, I expect
to see the padlock icon and https in the url. Secure or not, I don't understand why you want to do other than that. What are you saving? Why give a user a reason to think your page might be insecure? Put your user hat on. <leejtur***@gmail.com> wrote in message Show quoteHide quote news:1160563648.019675.248650@k70g2000cwa.googlegroups.com... > Hi just a quick question. > > I have a webpage which sits at a http address. This page accespts a > username and password from the user and then posts this information to > an https (secure) page. Is this secure? Does it matter that the initial > page is not https? Will the data be sent encrypted or should i make my > first page run over https as well? > > Thanks for your help. > > Lee > 
Other interesting topics
Multiple websites in one IIS with Integrated Windows Authentication
SSLv3 with certificate issued by Intermediate certificae authority Cannot get logon prompted on web page on one machine Problem with Impersonation / Delegation How do you get rid of IIS Anonymous Event Logs? IIS security with user and passwords stored in database Create Virtual Directory from DMZ to LAN IIS 5.0 IWA - Really need tips to solve this issue Password protecting a single page on IIS IIS FrontPage Virtual Sever Administration Site Administration : 401.1 for individual sites |
|||||||||||||||||||||||
