Is a signon to an SSL site from an http:// page secure?
Frank DiPrete
fdiprete at comcast.net
Thu Jun 23 16:57:01 EDT 2005
On Thu, 2005-06-23 at 13:41 -0400, Ted Roche wrote:
> I always thought that you needed to be using an https:// page before
> sending user names and passwords to log in. My credit union claims
> this isn't true, and that since clicking the signon button takes you
> to an SSL page, the information typed in is transmitted securely. I
> have my doubts. Here's a portion of their claim, from the front page
> of http://www.navyfcu.org. I'd welcome opinions.
>
> "Your experience online is very important to Navy Federal, and the
> Account Access Sign On is conveniently located on our Navy Federal
> home page. However, you may have recognized that, when you are on the
> home page, the familiar security symbols do not appear in your
> browser to symbolize that the page is secure. In fact, the home page
> itself is informational and not encrypted. Therefore it does not
> display the familiar “Lock” symbol in the bottom right–hand corner,
> nor does the address line begin with https. However, it is “safe” to
> enter your sign-on information from the home page. Your Access
> Number, User ID and Password are not transmitted until you click the
> “Sign On” button. After you click the “Sign On” button, a secure,
> encrypted connection is established between your personal computer’s
> browser and our Navy Federal systems, using Secure Socket Layers
> (SSL). After you click “Sign On”, you can validate that SSL is being
> used by seeing that “https” is displayed at the beginning of the data
> in your browser’s address line."
> _______________________________________________
> gnhlug-discuss mailing list
> gnhlug-discuss at mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
--
</lurk mode>
This is correct. The form will call another URL (probably POST).
Check the page source and lookk for the form's script URL - it probably
begins with https://
<lurk mode>
Frank DiPrete <fdiprete at comcast.net>
More information about the gnhlug-discuss
mailing list