Solved

http vs https : when is a login safe ?

Posted on 2014-07-30
10
316 Views
Last Modified: 2014-07-30
when I am on some site such as http://www.sample.com/, and there are 2 form fields, such as username and password on that site, and a SUBMIT button: is this login safe or unsafe ? After pressing SUBMIT, I come to a https site.
Same question, in other words: is the ssl protection active depending on the presence/absence of the https in the the starting site xor in the  destination site ?
0
Comment
Question by:Sonja_M
  • 3
  • 3
  • 2
  • +2
10 Comments
 
LVL 83

Accepted Solution

by:
Dave Baldwin earned 363 total points
ID: 40230115
It's not the current page but the connection to the next page that is important.  The current page using 'http' has already been requested and received.  What you want to keep the form data secure is for the next request (from the form to the destination page) to be using 'https'.
0
 
LVL 5

Assisted Solution

by:Sean Jackson
Sean Jackson earned 40 total points
ID: 40230122
If you're on a page hosted at http:// and you hit submit, that data will travel from your browser to that server unencrypted.  If that page is on https:// and you hit submit, the data is going to travel through an encrypted tunnel.  

Entering a username and password on http:// is not safe.  It can be subject to others who are watching the traffic.
0
 
LVL 83

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 363 total points
ID: 40230144
Sean, that's Not The Way It Works.  It's the form 'action' URL that needs to be 'https', not the current page.  The current page is already done.  There is nothing that can read from it anymore.
0
 
LVL 58

Assisted Solution

by:Gary
Gary earned 92 total points
ID: 40230150
Whilst login forms should really be on an HTTPS page to prevent any hacking Dave's comment is the correct one
0
 
LVL 58

Assisted Solution

by:Gary
Gary earned 92 total points
ID: 40230183
Just to be clear - When I say hacking I mean of the unsecure form data being sent to the browser initially not hacking the posted data

p.s.
No points for this, was just to backup Dave's answer.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 5

Assisted Solution

by:Sean Jackson
Sean Jackson earned 40 total points
ID: 40230257
Dave, are you saying that the page is rendered in plaintext, and then if I hit submit, and the form action is GET or POST, when it connects back to the server, that's when the SSL handshake occurs?  Not when the authenticated user gets their privileged page?
0
 
LVL 58

Assisted Solution

by:Gary
Gary earned 92 total points
ID: 40230267
Thats correct.
0
 
LVL 52

Expert Comment

by:Scott Fell, EE MVE
ID: 40230402
No points.   I concur with Dave's original answer.
0
 
LVL 83

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 363 total points
ID: 40230404
Yes, that's what I'm saying.  It's fine if both pages are SSL / https like Gary suggested but the important page, the request with the info you want to protect, is the 'action' page in the form.  That's when the info needs to be secure.  When you're typing your info into the form, it has already been loaded into your browser.  It's when you submit the form, that you need it to be encrypted to prevent people from reading it.
0
 

Author Closing Comment

by:Sonja_M
ID: 40230654
thank you all for your detailed and precise answers and interesting additional aspects
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Microsoft Edge 9 91
How to lock email accounts when notebook stolen 9 70
ADFS Queries 3 49
Cheap SSL Certificates 3 105
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
These days, all we hear about hacktivists took down so and so websites and retrieved thousands of user’s data. One of the techniques to get unauthorized access to database is by performing SQL injection. This article is quite lengthy which gives bas…
This video teaches viewers how to create their own website using cPanel and Wordpress. Tutorial walks users through how to set up their own domain name from tools like Domain Registrar, Hosting Account, and Wordpress. More specifically, the order in…
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to choose which pages of your form are visible to your users based on their inputs. The page rules feature provides you with an opportunity to create if:then statements for y…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now