Is a signon to an SSL site from an http:// page secure?
Benjamin Scott
dragonhawk at iname.com
Thu Jun 23 21:16:01 EDT 2005
On Jun 23 at 1:41pm, Ted Roche wrote:
> I always thought that you needed to be using an https:// page before sending
> user names and passwords to log in. My credit union claims this isn't true,
> and that since clicking the signon button takes you to an SSL page, the
> information typed in is transmitted securely.
Everybody's comments about the form's submit method are accurate as far as
they go. If the information in the form is submitted via an HTTPS URL, then
you get SSL protection for the data submitted via said form. That will
provide protection against attackers sniffing your data. In other words, this
is providing /confidentiality/.
There are other threats, however. In particular, if the HTML form itself
was sent via HTTP, you lack /authenticity/. Maybe bad guys are intercepting
the connection and feeding you a fake form that just *looks* like the real
thing. This is a lot easier with cleartext HTTP. With SSL, you can always
click the little key/lock and check the certificate. There's a fairly high
level of confidence associated with that. (Well, in theory, anyway.
VeriSign frell-ups notwithstanding.)
For example, if I'm making a Paypal payment, you can bet I carefully check
the certificate before punching in my password, to make sure I'm using the
real Paypal system. I couldn't do that if only the form submission was
SSL'ed.
Of course, there's also Gene "spaf" Spafford's apt observation: "Using
encryption on the Internet is the equivalent of arranging an armored car to
deliver credit card information from someone living in a cardboard box to
someone living on a park bench." If you've been watching the IT security news
these past few months, you'll have noticed that most organizations spend more
effort on buying paperclips then protecting customer data.
--
Ben <dragonhawk at iname.com>
More information about the gnhlug-discuss
mailing list