Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

http to https post form data 4

Status
Not open for further replies.

Roadki11

MIS
Mar 23, 2005
1,097
US
Can anyone think any issue(security) with gathering a user name and password on an unencrypted page and posting it to an https page? I am thinking this should be safe but then again I think it might not be.

thanks,

RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen
 
I normally use the below script to have my entire page https after login.. just to be sure.

If Request.ServerVariables("HTTPS") = "off" Then Response.Redirect "https://[Your page]"

 
This is an unusual hosting situation where I wouldn’t be able to secure the site. We would collect (unsecured) the username and password and pass that to a 3rd party https login page. Is the username/password vulnerable in that process is the question? This is just hypothetical; I know I could just use a link to get them to the 3rd party site, just trying to figure out how unsafe my proposal is.



RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen
 
as long as it is not https, it will be vulnerable

Sorry that I cannot help more
 
It's not secure. See:


"Placing secure login boxes on insecure pages: A full 47 percent of banks were guilty of this. A hacker could reroute data entered in the boxes or create a spoof copy of the page to harvest information. In a wireless situation, it's possible to conduct this man-in-the-middle attack without changing the bank URL for the user, so even a vigilant customer could fall victim. To solve this problem, banks should use the standard "secure socket layer" (SSL) protocol on pages that ask for sensitive information, Prakash says. (SSL-protected pages begin with https rather than http.) Most banks use SSL technology for some of their pages, but only a minority secure all their pages this way.
 
Thanks to both of you for the replies. Spork52, that was exactly what I was looking for but unable to find. Thanks again guys.


RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top