Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Password fields present on an insecure (http://) page. This is a security risk that allows user login credentials to be stolen.

Posted on 2014-09-08
9
Medium Priority
?
10,497 Views
Last Modified: 2014-09-24
I get this error in firefox   I don't know what it is or how to fix it
0
Comment
Question by:vrosas_03
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 84

Accepted Solution

by:
Dave Baldwin earned 1332 total points
ID: 40311037
No, the security risk is when they are sent to a page using HTTP instead of HTTPS.  If it is your website, you should fix it although there are many many pages with logins that do not use HTTPS.  If it is not your website, then you need to decide whether or not to go there.  Although I login to all kinds of pages, I have never seen that warning.
0
 
LVL 58

Expert Comment

by:Gary
ID: 40311038
So you have a login form/inputs on an http page

Solution:
Have your login form on a secure page https

Many websites do it, but remember normal people don't have Firebug running so they never see that message
0
 
LVL 58

Expert Comment

by:Gary
ID: 40311057
No, the security risk is when they are sent to a page using HTTP instead of HTTPS
Gonna disagree, the tunnel could have already been intercepted and posting to https is not gonna make a difference at that point.
0
Looking for a new Web Host?

Lunarpages' assortment of hosting products and solutions ensure a perfect fit for anyone looking to get their vision or products to market. Our award winning customer support and 30-day money back guarantee show the pride we take in being the industry's premier MSP.

 
LVL 84

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 1332 total points
ID: 40311090
the tunnel could have already been intercepted
What does that mean?  If I put up a login form and someone types their password into the form, at that point it has not even left their computer.  If the 'action' page is 'https://...', the first thing that happens when they submit the form is that an encrypted connection is negotiated Before any data is sent.

The most important part about HTTPS is that the connection is encrypted before Any data is sent.  No data is sent in the clear with an HTTPS connection.
0
 
LVL 58

Expert Comment

by:Gary
ID: 40311097
Because the target could have already been replaced, the connection may be secure but the connection to where?
If it's loaded on an SSL connection to start with then it cannot be altered.
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 40311131
That's one I never thought of.  But I guess if there is enough money involved, someone will try that.
0
 
LVL 58

Expert Comment

by:Gary
ID: 40311140
Doesn't need that much money involved, pop into the local cafe with wi-fi, you could probably pick up login details and other stuff and Joe Bloggs would never know.

30 minutes later you could be ordering all kinds of things - worst case scenario I know but...has happened.
0
 
LVL 58

Assisted Solution

by:Gary
Gary earned 668 total points
ID: 40311143
http://www.ehacking.net/2013/06/irisking-security-by-not-securing-login.html

p.s.
I have an unsecure login form on one site, but I don't store any personal information. Still bad form on my part.
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 40311421
I don't WiFi anywhere.  I have a wireless router though I don't use it for any of my own business.  Last time I checked, there were 52 wireless networks here.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Because your company can’t afford for you to make SEO mistakes, you’ll want to ensure you’re taking the right steps each and every time you post a new piece of content. This list of optimization do’s and don’ts can help you become an SEO wizard.
When the s#!t hits the fan, you don’t have time to look up who’s on call, draft emails, call collaborators, or send text messages. An instant chat window is definitely the way to go, especially one like HipChat. HipChat is a true business app. An…
This tutorial demonstrates how to identify and create boundary or building outlines in Google Maps. In this example, I outline the boundaries of an enclosed skatepark within a community park.  Login to your Google Account, then  Google for "Google M…
Any person in technology especially those working for big companies should at least know about the basics of web accessibility. Believe it or not there are even laws in place that require businesses to provide such means for the disabled and aging p…
Suggested Courses

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question