Security Basics mailing list archives
Re: Encrypted or Not Encrypted
From: "Gregory Rubin" <grrubin () gmail com>
Date: Fri, 12 Sep 2008 10:07:42 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is correct. The entire connection between the browser and the receiving server is encrypted. At no point is any of the information in the example form exposed. HOWEVER, having a form that submits to HTTPS be displayed on an HTTP site is an extremely bad practice because none of the protections granted by https are on the form's page. This means that an attacker can: * Modify the form so that it submits over http * Modify the form so that it submits directly to the attacker * Insert javascript into the page that sniffs out the user-name and password (prior to form submission) and sends them to the attacker * DNS Hijack the client and cause them to view an entirely attacker controlled page (but at the same URL). (Also, there is no way for the user to know that the form submits over https without looking at the source.) Https on the form's page will protect against all of these attacks and is why so many of the major sites require the form to be displayed on an HTTPS page (and instruct their users to never enter their credentials on an http site). Greg -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: http://getfiregpg.org iD8DBQFIyqHX5KDU23nQpRcRAhr0AJ450yzA9XcA35hxIAaYDh6BTLM6mQCg+us3 Jlh/xszj7iWzzIjzMNNnOVc= =zZFk -----END PGP SIGNATURE----- On Fri, Sep 12, 2008 at 12:28 AM, Roman Fulop <ml () ensof1 trithem sk> wrote:
Hi, AFAIK, the SSL handshake occurs before sending HTTP request.
Current thread:
- Encrypted or Not Encrypted amatachick (Sep 11)
- Re: Encrypted or Not Encrypted Roman Fulop (Sep 12)
- Re: Encrypted or Not Encrypted Gregory Rubin (Sep 16)
- Re: Encrypted or Not Encrypted Garry Baker (Sep 12)
- RE: Encrypted or Not Encrypted Eifrém Strinnholm Jonas (Sep 12)
- Re: Encrypted or Not Encrypted Rob (Sep 16)
- Re: Encrypted or Not Encrypted Douglas C. Duckworth (Sep 16)
- RE: Encrypted or Not Encrypted Basha, Arif (Sep 16)
- Re: Encrypted or Not Encrypted Douglas C. Duckworth (Sep 17)
- Re: Encrypted or Not Encrypted Roman Fulop (Sep 18)
- Message not available
- Re: Encrypted or Not Encrypted Roman Fulop (Sep 19)
- Re: Encrypted or Not Encrypted Rob (Sep 16)
- Re: Encrypted or Not Encrypted Roman Fulop (Sep 12)
- Re: Encrypted or Not Encrypted Rob (Sep 17)
- RE: Encrypted or Not Encrypted Boaz Shunami (Sep 17)