SSL Login Question 1

[neomorpheus]

I am working on a project that involves securing our login forms. Currently we have a login box on the homepage (not secure). We do have SSL on our whole site, so

http://www.sitename.com

and

https://www.sitename.com

work well. I have tried to submit the login on the homepage to a

https://www.sitename.com/loginsubmit.cfm.

Though it works well, it is my opinion that to be totally secure, the login process needs to happen from a https to https page. So in this case our homepage which is not secure could not have securely transmitted to info the https page. Am I right?

Once I reach the secure page and move to non-secure page, i get an annoying popup- warning me of the impending danger

My question is-

Is there a workaround to make sure that the data is totally encrypted moving from http to https? Is there a way to get rid of the annoying https to http warning popup.

For example-

http://salliemae.com

The login on the homepage is not https. But when submitted, it goes to a https page. Is that really secure?

Thanks for taking the time to read thru this and I hope you can shed some light on this topic for me. Much appreciated. Thanks.

 

[ReddLefty]

You need to get your Certificate approved by security companies like Verisign. You basically pay money for them to validate that you have a certificate that has been issued by them. They will send you a new certificate that you add into your web site. You have to renew it every so often (1 year or 2 years, depending on what you buy).


Basically, Internet Explorer (for this example) will recognize it's from Verisign and it will not pop-up the security window warning if you left the default settings on Internet Explorer.

If you don't want to spend the cash, then I'm afraid that you will need to keep clicking on the "Yes" button when the security box appears. The data will not be encrypted any differently with the Verisign certificate or not. What Verisign do is basically certify that it's a genuine certificate from them.



"In space, nobody can hear you click..."

 

[neomorpheus]

The popup alert is actually a warning that we are moving away from a https to http page. Our certificate is validated by Verisign.

My problem lies in the fact that I would like to secure the login process. I want the Login details to be encrypted and secure. Since the requirements involve placing the login box on the homepage (not secure- http), submitting the form to a https submit page really doesnt provide the necessary security. The data from a http page on the way to a https page can still be sniffed on. But some popular websites do offer this option and I am not sur eif it is the right thing to do. Additionally, i do not want to make my homepage https.

However, I do have a https login page that visitors are directed to if they plan to login after a bit of surfing. I fake submit to a https page to make the data secure and redirect to the page they wanted to go to(to prevent the annnoying "you are going to a unsecured site" popup). So that part of it is cool. Its the Homepage login that bothers me as I am unable to find any standard procedure for it.

Any thoughts? Thanks for the help

 

[siberian]

What we have done is put a lock icon on the page that users can toggle.

This way if they want a secure login on the home page they can 'flip' the homepage into secure mode.

We felt it was the best middle ground for us in our application, let the user choose a paranoia level.