|
Home > Archive > IIS Server Security > December 2006 > Is posting from http to https secure?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Is posting from http to https secure?
|
|
| leejturner@gmail.com 2006-10-11, 7:32 am |
| Hi just a quick question.
I have a webpage which sits at a http address. This page accespts a
username and password from the user and then posts this information to
an https (secure) page. Is this secure? Does it matter that the initial
page is not https? Will the data be sent encrypted or should i make my
first page run over https as well?
Thanks for your help.
Lee
| |
| David Wang 2006-10-11, 7:20 pm |
| The POST'd form data will be transmitted securely over HTTPS.
Whether this scheme is secure... it depends on the custom forms
authentication protocol.
For example, if the user mistypes the password, will the access-denied
message redirect any user information back to the user over HTTP? Oops,
that just disclosed sensitive information in the error scenario -
classic code bug.
If you are in doubt, transmit all data associated with the user login
over HTTPS to be safe. If you control what is going on, you can
appropriately optimize.
//David
w3-4u.blogspot.com
//
leejtur...@gmail.com wrote:
> Hi just a quick question.
>
> I have a webpage which sits at a http address. This page accespts a
> username and password from the user and then posts this information to
> an https (secure) page. Is this secure? Does it matter that the initial
> page is not https? Will the data be sent encrypted or should i make my
> first page run over https as well?
>
> Thanks for your help.
>
> Lee
| |
| leejturner@gmail.com 2006-10-11, 7:20 pm |
| Thanks David,
that makes sense. In my case if a username or password is incorrect
then an error code is sent back to the unsecured page and an access
denied message is displayed. It really doesn't matter if this code is
insecure as it bears no relation to any user details etc.
Thankyou for taking the time to reply.
Lee
David Wang wrote:[vbcol=seagreen]
> The POST'd form data will be transmitted securely over HTTPS.
>
> Whether this scheme is secure... it depends on the custom forms
> authentication protocol.
>
> For example, if the user mistypes the password, will the access-denied
> message redirect any user information back to the user over HTTP? Oops,
> that just disclosed sensitive information in the error scenario -
> classic code bug.
>
> If you are in doubt, transmit all data associated with the user login
> over HTTPS to be safe. If you control what is going on, you can
> appropriately optimize.
>
> //David
> w3-4u.blogspot.com
> //
>
> leejtur...@gmail.com wrote:
| |
| Roger Abell [MVP] 2006-10-11, 7:20 pm |
| I agree with David's reply.
I have also seen some cases to which his reply
does not speak however, hence this added info.
Just because you end up at an https page does
not necessarily mean that the posting was secured
with SSL (https).
What you need to do is look at the html for the
posting action (ex. use View Source and search
on the text shown in the login box). The posting
action in the Form field for that input box (username
and password) unusually will be seen to be https.
However, it can be http and the redirect that takes
place on the server as part of the login could still
send you to an https page after the login, so it can
"look" like everything was https when in fact it is not.
When not it is plain sloppy webcoding, but I have seen
some places where this slipped past.
Roger
<leejturner@gmail.com> wrote in message
news:1160563648.019675.248650@k70g2000cwa.googlegroups.com...
> Hi just a quick question.
>
> I have a webpage which sits at a http address. This page accespts a
> username and password from the user and then posts this information to
> an https (secure) page. Is this secure? Does it matter that the initial
> page is not https? Will the data be sent encrypted or should i make my
> first page run over https as well?
>
> Thanks for your help.
>
> Lee
>
| |
| Funkadyleik Spynwhanker 2006-10-11, 7:20 pm |
| Note there are other good reasons to make the form itself (pre-post command)
secured.
Having the form itself in HTTPS mode helps prevent someone from spoofing
your site (phishing) to capture the user/pass before login.
The risk is small though, especially if you don't have financial stuff
behind there and don't have a large userbase.
<leejturner@gmail.com> wrote in message
news:1160571871.462309.17210@m7g2000cwm.googlegroups.com...
> Thanks David,
>
> that makes sense. In my case if a username or password is incorrect
> then an error code is sent back to the unsecured page and an access
> denied message is displayed. It really doesn't matter if this code is
> insecure as it bears no relation to any user details etc.
>
> Thankyou for taking the time to reply.
>
> Lee
>
> David Wang wrote:
>
| |
| David Wang 2006-10-11, 7:20 pm |
| Yup, absolutely. When talking about a login form, there are two
independent events happening.
Event#1:
First is the retrieval of the login form initiated by the www client,
usually in direct proxy of a user typing/entering in the URL Address
bar or clicking on the link. The www server responds over that same
channel with the contents of the login form.
Event#2:
Then there is the retrieval/posting of the login form (depends on the
ACTION defined for the form) initiated by the www client, usually in
direct proxy of a user clicking the "submit" button. The www server
processes the request (such as validate the username/password sent by
the form) and returns an appropriate response over the same channel as
the retrieval/posting.
You asked if Event#1 over HTTP implies anything about Event#2 over
HTTPS, and the answer is no.
Roger pointed out that Event#1 over HTTPS implies NOTHING about
Event#2. Just because Event#1 is over HTTPS does not mean Event#2 is
also over HTTPS, and there are plenty of anecdotal "oops" evidence.
I pointed out that if you are paranoid, make Event#1 and Event#2 both
over HTTPS.
//David
http://w3-4u.blogspot.com
//
Roger Abell [MVP] wrote:[vbcol=seagreen]
> I agree with David's reply.
>
> I have also seen some cases to which his reply
> does not speak however, hence this added info.
> Just because you end up at an https page does
> not necessarily mean that the posting was secured
> with SSL (https).
>
> What you need to do is look at the html for the
> posting action (ex. use View Source and search
> on the text shown in the login box). The posting
> action in the Form field for that input box (username
> and password) unusually will be seen to be https.
>
> However, it can be http and the redirect that takes
> place on the server as part of the login could still
> send you to an https page after the login, so it can
> "look" like everything was https when in fact it is not.
> When not it is plain sloppy webcoding, but I have seen
> some places where this slipped past.
>
> Roger
>
> <leejturner@gmail.com> wrote in message
> news:1160563648.019675.248650@k70g2000cwa.googlegroups.com...
| |
| leejturner@gmail.com 2006-10-13, 1:26 pm |
| Thanks so much guys thats some really useful info.
| |
| Roger Abell [MVP] 2006-10-14, 7:36 pm |
| I wish one come make the browser display a little
lock icon on submit buttons (however labelled) to
make it very plain if the submit is or is not https.
<leejturner@gmail.com> wrote in message
news:1160743717.241089.207570@m73g2000cwd.googlegroups.com...
> Thanks so much guys thats some really useful info.
>
| |
| David Wang 2006-10-15, 1:30 am |
| For IE7, I would make the wish on the IE Team Blog (
http://blogs.msdn.com/IE/ ) as they go through the security sweeps. I
realize that this does not take care of the custom submit graphics, but
in those cases the user is responsible for proper labeling...
//David
http://w3-4u.blogspot.com
//
Roger Abell [MVP] wrote:[vbcol=seagreen]
> I wish one come make the browser display a little
> lock icon on submit buttons (however labelled) to
> make it very plain if the submit is or is not https.
>
> <leejturner@gmail.com> wrote in message
> news:1160743717.241089.207570@m73g2000cwd.googlegroups.com...
| |
| Roger Abell [MVP] 2006-10-15, 1:30 am |
| Well, it is a little late of IE 7 rtw . . .
Good idea though David
Roger
"David Wang" <w3.4you@gmail.com> wrote in message
news:1160886521.655772.62630@m7g2000cwm.googlegroups.com...
> For IE7, I would make the wish on the IE Team Blog (
> http://blogs.msdn.com/IE/ ) as they go through the security sweeps. I
> realize that this does not take care of the custom submit graphics, but
> in those cases the user is responsible for proper labeling...
>
>
> //David
> http://w3-4u.blogspot.com
> //
>
> Roger Abell [MVP] wrote:
>
| |
| Rich Raffenetti 2006-12-02, 1:30 am |
| When I get ready to input my username and password on a web page, I expect
to see the padlock icon and https in the url. Secure or not, I don't
understand why you want to do other than that. What are you saving? Why
give a user a reason to think your page might be insecure? Put your user
hat on.
<leejturner@gmail.com> wrote in message
news:1160563648.019675.248650@k70g2000cwa.googlegroups.com...
> Hi just a quick question.
>
> I have a webpage which sits at a http address. This page accespts a
> username and password from the user and then posts this information to
> an https (secure) page. Is this secure? Does it matter that the initial
> page is not https? Will the data be sent encrypted or should i make my
> first page run over https as well?
>
> Thanks for your help.
>
> Lee
>
|
|
|
|
|