Re: Encrypted or Not Encrypted

[Rob <robertwilcox () gmail com>]

So how are the credentials protected in network transit to the secure  
site?  The way you explain it, I see the creds being exposed on their  
way to the secure site.

Optimally they should enter their creds after ssl has setup the secure  
session, not after..

What am I missing?

Rob

Sent from my iPhone

On Sep 12, 2008, at 6:44 AM, Eifrém Strinnholm Jonas <Jonas.Eifrem@sweco.s 
e> wrote:

> Encrypted.
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com 
> ] On
> Behalf Of amatachick () gmail com
> Sent: den 11 september 2008 20:25
> To: security-basics () securityfocus com
> Subject: Encrypted or Not Encrypted
>
> I've run into this issue a few times now and would like to know what  
> y'all
> think. Here is the situation: A website not using SSL has a login  
> page. As
> soon as credentials are entered on this page they are redirected to  
> a site
> using SSL. Here is a specific example of the code on one such site:
>
> <form name="loginpersonal" method="POST"
> action="https://secure.sitename.com/engine/login/login.asp";  
> onSubmit="return
> checkLoginForm(this);">
>
>   <input type=hidden name=IsPostback value=1>
>
>
>
> Now, from what I understand, the login credentials would still be
> unencrypted while traveling to the secure site. So that would negate  
> the
> effect of having it redirect to a secure site in the first place.  
> Right? I
> keep brining up this fact but all I get back is that it's being  
> redirected
> so it's secure. I feel like I'm taking crazy pills here so I'd  
> appreciate
> some feedback. Am I wrong? If I am I can handle that, I'd just like  
> to know.
> Thanks!