PaulDotCom mailing list archives
SSL Encryption and HTML
From: cdf123 at cdf123.net (Chris Frederick)
Date: Wed, 29 Oct 2008 09:06:37 -0500
Cody Ray wrote:
Although the login does not occur on a secure HTML page, the login is, in fact, secure.
No, in fact, it isn't. It just means that I have to trust your insecure login page came from your site, which can't be verified. This makes it much easier for a 'haxor' to post the login html on another site, and change the action to go somewhere else. Once you click that submit button, it's too late, the data is sent. Are you going to view-source every time you get the login page to make sure the form is posting to the correct location? <rant> The whole issue they are bringing up with this ssl side-stepping is trust. They are asking you to trust their 'slight-of-hand' security, which doesn't appear to be very trustworthy. This causes (or should cause) the whole trust foundation to break down. What other areas of security are they skimping on? </rant> Does this mean that the cookie that is set up on login can be used for the http and https sections of the site to identify you? In that case anyone sniffing traffic between you and the bank could possibly see you session cookie if you ever navigated to the insecure site after being logged in. There were a lot of sites (banks included) that got in trouble recently by not securing their cookies. This whole thing smells bad. My $0.02... Chris
Current thread:
- SSL Encryption and HTML Cody Ray (Oct 28)
- SSL Encryption and HTML Blake Hartstein (Oct 28)
- SSL Encryption and HTML matt donovan (Oct 28)
- SSL Encryption and HTML Nick Baronian (Oct 28)
- SSL Encryption and HTML matt donovan (Oct 28)
- SSL Encryption and HTML Paul Asadoorian (Oct 28)
- SSL Encryption and HTML James Costello (Oct 28)
- SSL Encryption and HTML Raffi Jamgotchian (Oct 28)
- SSL Encryption and HTML Oscar Koeroo (Oct 29)
- SSL Encryption and HTML Paul Asadoorian (Oct 29)
- SSL Encryption and HTML Jim Kelly (Oct 29)
- SSL Encryption and HTML James Costello (Oct 28)
- SSL Encryption and HTML Chris Frederick (Oct 29)
- <Possible follow-ups>
- SSL Encryption and HTML David A. Gershman (Oct 28)
- SSL Encryption and HTML Ken Asher (Oct 28)
- SSL Encryption and HTML Blake Hartstein (Oct 28)