Security Basics mailing list archives
Re: Encrypted or Not Encrypted
From: krymson () gmail com
Date: 12 Sep 2008 15:04:57 -0000
That transfer should still be encrypted as the submit action is to an SSL target. The SSL will be negotiated before the information is transferred. I'd suggest verifying anything anyone says (including me!) by using Wireshark as you submit the form. It should be inside the SSL/TLS packets, and not sent before. <- snip -> I've run into this issue a few times now and would like to know what y'all think. Here is the situation: A website not using SSL has a login page. As soon as credentials are entered on this page they are redirected to a site using SSL. Here is a specific example of the code on one such site: <form name="loginpersonal" method="POST" action="https://secure.sitename.com/engine/login/login.asp" onSubmit="return checkLoginForm(this);"> <input type=hidden name=IsPostback value=1> Now, from what I understand, the login credentials would still be unencrypted while traveling to the secure site. So that would negate the effect of having it redirect to a secure site in the first place. Right? I keep brining up this fact but all I get back is that it's being redirected so it's secure. I feel like I'm taking crazy pills here so I'd appreciate some feedback. Am I wrong? If I am I can handle that, I'd just like to know. Thanks!
Current thread:
- Re: Encrypted or Not Encrypted, (continued)
- Re: Encrypted or Not Encrypted Douglas C. Duckworth (Sep 16)
- RE: Encrypted or Not Encrypted Basha, Arif (Sep 16)
- Re: Encrypted or Not Encrypted Douglas C. Duckworth (Sep 17)
- Re: Encrypted or Not Encrypted Roman Fulop (Sep 18)
- Message not available
- Re: Encrypted or Not Encrypted Roman Fulop (Sep 19)
- Re: Encrypted or Not Encrypted Rob (Sep 17)
- RE: Encrypted or Not Encrypted Boaz Shunami (Sep 17)
- RE: Encrypted or Not Encrypted Marco M. Morana (Sep 16)