Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

http to https post form data 4

Status
Not open for further replies.
Roadki11

Roadki11

MIS
Mar 23, 2005
1,097
US
Can anyone think any issue(security) with gathering a user name and password on an unencrypted page and posting it to an https page? I am thinking this should be safe but then again I think it might not be.

thanks,

RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen
 
Sort by date Sort by votes
I normally use the below script to have my entire page https after login.. just to be sure.

If Request.ServerVariables("HTTPS") = "off" Then Response.Redirect "https://[Your page]"

 
Upvote 0 Downvote
This is an unusual hosting situation where I wouldn’t be able to secure the site. We would collect (unsecured) the username and password and pass that to a 3rd party https login page. Is the username/password vulnerable in that process is the question? This is just hypothetical; I know I could just use a link to get them to the 3rd party site, just trying to figure out how unsafe my proposal is.



RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen
 
Upvote 0 Downvote
as long as it is not https, it will be vulnerable

Sorry that I cannot help more
 
Upvote 0 Downvote
It's not secure. See:


"Placing secure login boxes on insecure pages: A full 47 percent of banks were guilty of this. A hacker could reroute data entered in the boxes or create a spoof copy of the page to harvest information. In a wireless situation, it's possible to conduct this man-in-the-middle attack without changing the bank URL for the user, so even a vigilant customer could fall victim. To solve this problem, banks should use the standard "secure socket layer" (SSL) protocol on pages that ask for sensitive information, Prakash says. (SSL-protected pages begin with https rather than http.) Most banks use SSL technology for some of their pages, but only a minority secure all their pages this way.
 
Upvote 0 Downvote
Thanks to both of you for the replies. Spork52, that was exactly what I was looking for but unable to find. Thanks again guys.


RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Swi
  • Locked
  • Question
JQUERY AJAX POST and how to receive data via Classic ASP
Replies
0
Views
288
Swi
Swi
leifoet
  • Locked
  • Question
How to send HTML emails with ASP classic?
Replies
0
Views
252
leifoet
leifoet
leifoet
  • Locked
  • Question
How to check if a datatable is empty ?
Replies
0
Views
193
leifoet
leifoet
penguinspeaks
  • Locked
  • Question
Return to current location on page after asp processes.
Replies
2
Views
203
penguinspeaks
penguinspeaks
Swi
  • Locked
  • Question
Best/Quickest Grid to display data
Replies
1
Views
170
Swi
Swi

Part and Inventory Search

Sponsor

Back
Top