|
Form (in)Security?
Hello,
I was looking at websites such as hotmail.com. If you notice when you go to hotmail.com and try and log in, it isn't a "secure site". I did notice that the 'form action' is sent to a secure site (ie. https). How does that help? Just because you send the form data to a secure site, the data is still sent in plain text to the secure site.... right? Can someone explain what I am missing? Thanx a ton, Ryan Ritten |
Re: Form (in)Security?
Sparticus wrote:
> Hello, > > I was looking at websites such as hotmail.com. If you notice when you > go to hotmail.com and try and log in, it isn't a "secure site". I did > notice that the 'form action' is sent to a secure site (ie. https). > > How does that help? Just because you send the form data to a secure > site, the data is still sent in plain text to the secure site.... > right? > > Can someone explain what I am missing? Thanx a ton, Believe so, the form with user/password should be access with https AND should post to https to encrypt the transmission. M$ *knows* security! ;-) -- Take care, Jonathan ------------------- LITTLE WORKS STUDIO http://www.LittleWorksStudio.com |
Re: Form (in)Security?
I just find it odd that a large company like hotmail wouldn't have some
sort of password protection.... does anyone else have any comments on this? |
Re: Form (in)Security?
"Sparticus" <sparticusREMOVE@thesparticusarena.com> wrote:
> I was looking at websites such as hotmail.com. If you notice when you > go to hotmail.com and try and log in, it isn't a "secure site". The page containing the login form is indeed sent via http, not https. It doesn't really matter, except in the sense that people may have been misled into thinking that it does (and even look for a lock symbol to indicate "secure site"). The page is sent unencrypted, but who cares? It's publicly accessible anyway. > I did > notice that the 'form action' is sent to a secure site (ie. https). Indeed. That's what matters. > How does that help? By making data transmission from your browser to the server encrypted. > Just because you send the form data to a secure > site, the data is still sent in plain text to the secure site.... > right? Wrong. It's the action attribute that matters, not the URL of the page containing the form. The action attribute determines the address to be used in the transaction where your data is sent. -- Yucca, http://www.cs.tut.fi/~jkorpela/ Pages about Web authoring: http://www.cs.tut.fi/~jkorpela/www.html |
Re: Form (in)Security?
Hmm... so if that's the case, then when I click 'submit' on the
website, the website must see that the form 'action' is a secure site. So when it see's this, it then makes a secure connection with that site... then it sends over the encrypted data? can anyone else verify this is how it works? I need to know because I am making a website that needs to have the password sent via a html form secure. I noticed when you go to bank websites, or even gmail (google's mail) the login page is already a secure site. That's why I'm wondering if there is something I'm missing. TIA Ryan Ritten |
Re: Form (in)Security?
Sparticus wrote:
> Hmm... so if that's the case, then when I click 'submit' on the > website, the website must see that the form 'action' is a secure site. > So when it see's this, it then makes a secure connection with that > site... then it sends over the encrypted data? > > can anyone else verify this is how it works? Yep, I do ;) > I need to know because I > am making a website that needs to have the password sent via a html > form secure. > > I noticed when you go to bank websites, or even gmail (google's mail) > the login page is already a secure site. > > That's why I'm wondering if there is something I'm missing. If the page containing the form is served using HTTPS, the user can see this (lock icon). The user won't see how his data is sent after submitting the form (some browsers tell you about it "... you are sending data unencrypted..." - but this message can be disabled) - a 'lock icon' for submit buttons might be a nice idea, but you'll have to tell this to browser manufacturers... User may feel more secure, if the document with the form has 'lock icon' - but thinking that this implies that their data is sent securely is wrong. You should tell the users that their data is sent encrypted (some people think the 'lock icon' does this job, but this is wrong as said above) - they have to trust you anyway, unless they analyse the document source themselves. -- Benjamin Niemann Email: pink at odahoda dot de WWW: http://www.odahoda.de/ |
Re: Form (in)Security?
Sparticus wrote:
> can anyone else verify this is how it works? I need to know because I > am making a website that needs to have the password sent via a html > form secure. > > I noticed when you go to bank websites, or even gmail (google's mail) > the login page is already a secure site. > > That's why I'm wondering if there is something I'm missing. Well, if you form already contains sensitive data (e.g. prefilled login name or even worse, prefilled password), it should be served as HTTPS. But you should not do it anyway, browsers can prefill the login data on their own - if the user thinks this is suffiently secure. -- Benjamin Niemann Email: pink at odahoda dot de WWW: http://www.odahoda.de/ |
| All times are GMT. The time now is 02:18 PM. |
Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.