• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 343
  • Last Modified:

http vs https : when is a login safe ?

when I am on some site such as http://www.sample.com/, and there are 2 form fields, such as username and password on that site, and a SUBMIT button: is this login safe or unsafe ? After pressing SUBMIT, I come to a https site.
Same question, in other words: is the ssl protection active depending on the presence/absence of the https in the the starting site xor in the  destination site ?
0
Sonja_M
Asked:
Sonja_M
  • 3
  • 3
  • 2
  • +2
8 Solutions
 
Dave BaldwinFixer of ProblemsCommented:
It's not the current page but the connection to the next page that is important.  The current page using 'http' has already been requested and received.  What you want to keep the form data secure is for the next request (from the form to the destination page) to be using 'https'.
0
 
Sean JacksonInformation Security AnalystCommented:
If you're on a page hosted at http:// and you hit submit, that data will travel from your browser to that server unencrypted.  If that page is on https:// and you hit submit, the data is going to travel through an encrypted tunnel.  

Entering a username and password on http:// is not safe.  It can be subject to others who are watching the traffic.
0
 
Dave BaldwinFixer of ProblemsCommented:
Sean, that's Not The Way It Works.  It's the form 'action' URL that needs to be 'https', not the current page.  The current page is already done.  There is nothing that can read from it anymore.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
GaryCommented:
Whilst login forms should really be on an HTTPS page to prevent any hacking Dave's comment is the correct one
0
 
GaryCommented:
Just to be clear - When I say hacking I mean of the unsecure form data being sent to the browser initially not hacking the posted data

p.s.
No points for this, was just to backup Dave's answer.
0
 
Sean JacksonInformation Security AnalystCommented:
Dave, are you saying that the page is rendered in plaintext, and then if I hit submit, and the form action is GET or POST, when it connects back to the server, that's when the SSL handshake occurs?  Not when the authenticated user gets their privileged page?
0
 
GaryCommented:
Thats correct.
0
 
Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
No points.   I concur with Dave's original answer.
0
 
Dave BaldwinFixer of ProblemsCommented:
Yes, that's what I'm saying.  It's fine if both pages are SSL / https like Gary suggested but the important page, the request with the info you want to protect, is the 'action' page in the form.  That's when the info needs to be secure.  When you're typing your info into the form, it has already been loaded into your browser.  It's when you submit the form, that you need it to be encrypted to prevent people from reading it.
0
 
Sonja_MAuthor Commented:
thank you all for your detailed and precise answers and interesting additional aspects
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 3
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now