Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
When to change to https
- Thread starter UncleCake
- Start date
You should use https at the earliest opportunity.
the golden rule here If it's not being done via https, it's not safe. Including when people first type their passwords in.
Without a doubt, protect the password page as well otherwise you have a serious
fault in your security.
hth
Tels Mixed Linux/Win2000 Network Administrator
the golden rule here If it's not being done via https, it's not safe. Including when people first type their passwords in.
Without a doubt, protect the password page as well otherwise you have a serious
fault in your security.hth
Tels Mixed Linux/Win2000 Network Administrator
- Thread starter
- #3
Thanks Tels,
How would I handle it if I had a log in on my home page? I currently have it so that the page that receives the form is secure, but if the home page is secure, then all of the pages will be secure, unless there is another way to do it.
I don't have any data the is available that can be retrieved by knowing a username/password, it is used to give customer pricing and collect credit card info at the end of a transaction which is always secure.
Any suggestions?
-Uncle Cake
How would I handle it if I had a log in on my home page? I currently have it so that the page that receives the form is secure, but if the home page is secure, then all of the pages will be secure, unless there is another way to do it.
I don't have any data the is available that can be retrieved by knowing a username/password, it is used to give customer pricing and collect credit card info at the end of a transaction which is always secure.
Any suggestions?
-Uncle Cake
If you want to create a form, and have some enter their credit card info. and all that, create a form, then talk your hosting company and see what security they provide (they also have softwares out there, that can encrypt the data)...
The form has to be on an HTTPS server (the secue server) I have not failed; I merely found 100,000 different ways of not succeding...
The form has to be on an HTTPS server (the secue server) I have not failed; I merely found 100,000 different ways of not succeding...
Yep. A good ISP will be able to serve any content you like via secure https, although it might involve you yourself obtaining the certificate. Visit Thawte ( to get an idea of whats involved..
I somehow sense (correct me if i am wrong) you have reasons not to put your whole home page on secure https.
If you want to have a secure password login on a non-secure page you could use a IFRAME or layer and direct that layer's source to that of your secure login page....
If you do that the browser should alert the user of mixed secure/non-secure content - could be annoying.
Either way, it is important not to send the password through the internet unprotected, as a cracker could use that one bit of information to unpick the rest of your security and impersonate a genuine client.
In ANY event, individual secure sessions are secure against snooping, even if a password has been compromised.
Hope this helps
Tels Mixed Linux/Win2000 Network Administrator
I somehow sense (correct me if i am wrong) you have reasons not to put your whole home page on secure https.
If you want to have a secure password login on a non-secure page you could use a IFRAME or layer and direct that layer's source to that of your secure login page....
If you do that the browser should alert the user of mixed secure/non-secure content - could be annoying.
Either way, it is important not to send the password through the internet unprotected, as a cracker could use that one bit of information to unpick the rest of your security and impersonate a genuine client.
In ANY event, individual secure sessions are secure against snooping, even if a password has been compromised.
Hope this helps
Tels Mixed Linux/Win2000 Network Administrator
- Thread starter
- #6
We actually host our own web site so I can do what ever I would like to do. I can't stand frames, which I don't know if IFRAME is just a framed site or not.
The reason that I don't want the entire site to be secure is because I have read somewhere, which I can't recall where, but the process time is longer when it goes HTTPS instead of HTTP. Only about 1/3 of my user actually logs in, but I want to make it as secure as possible.
I guess what I am wondering how do all of the other web sites out there do it with a log in on their home page or a log on screen without it being HTTPS, unless it isn't secure?
-Uncle Cake
The reason that I don't want the entire site to be secure is because I have read somewhere, which I can't recall where, but the process time is longer when it goes HTTPS instead of HTTP. Only about 1/3 of my user actually logs in, but I want to make it as secure as possible.
I guess what I am wondering how do all of the other web sites out there do it with a log in on their home page or a log on screen without it being HTTPS, unless it isn't secure?
-Uncle Cake
I suppose it depends on the nature of your site. With something like tek-tips, I guess the passwords can be sent in clear text because a breach wouldn't be the end of the world.
But if, say, you were remembering clients' credit card details and letting the client access it via a login, you certainly wouldn't want the password sent as clear text.
As for an Iframe, it is an IE5+ specific object(although I think its supposed to work in NS6)
It behaves like a frame, Javascript treats it just like a frame and it becomes part of the document.frame DOM array. However, it can be embedded wherever you like and so doesn't have the limitations of traditional frames.
(IFRAME = Inline Frame)
IMO you will need to use either frames or layers if you want to place a small, totally secure login on an otherwise unsecure page.
You could sidestep this by having a link to a login popup instead.
A good example of an IFRAME is my site, where I built the whole site around it. You'll need IE5+, though. Mixed Linux/Win2000 Network Administrator
But if, say, you were remembering clients' credit card details and letting the client access it via a login, you certainly wouldn't want the password sent as clear text.
As for an Iframe, it is an IE5+ specific object(although I think its supposed to work in NS6)
It behaves like a frame, Javascript treats it just like a frame and it becomes part of the document.frame DOM array. However, it can be embedded wherever you like and so doesn't have the limitations of traditional frames.
(IFRAME = Inline Frame)
IMO you will need to use either frames or layers if you want to place a small, totally secure login on an otherwise unsecure page.
You could sidestep this by having a link to a login popup instead.
A good example of an IFRAME is my site, where I built the whole site around it. You'll need IE5+, though. Mixed Linux/Win2000 Network Administrator
- Thread starter
- #8
Tels,
The only thing that a user can see is discounted pricing for their company and past orders. Other than that, most of our customers enter in a PO, only a few use a credit card, which is all secure, so the data isn’t really sensitive before that, but I would like to do what is the best that is recommended since I have the capabilities., but I don’t know what is the most effective.
Thanks for your input.
-Uncle Cake
The only thing that a user can see is discounted pricing for their company and past orders. Other than that, most of our customers enter in a PO, only a few use a credit card, which is all secure, so the data isn’t really sensitive before that, but I would like to do what is the best that is recommended since I have the capabilities., but I don’t know what is the most effective.
Thanks for your input.
-Uncle Cake
Well, if no seriously sensitive data or applications are kept permanently on the https, I suppose you can use a unsecure form to submit the password directly to a secure site.
Like I said, every *individual* secure transaction is private and immune to eavesdropping, so one-off credit card payments can be safely made. I just wouldn't store any sensitive data this way...
Ultimately you need to make a choice between performance and security based on the level of security you think you need.
You have the technology......
8)
Tels Mixed Linux/Win2000 Network Administrator
Like I said, every *individual* secure transaction is private and immune to eavesdropping, so one-off credit card payments can be safely made. I just wouldn't store any sensitive data this way...
Ultimately you need to make a choice between performance and security based on the level of security you think you need.
You have the technology......
8)
Tels Mixed Linux/Win2000 Network Administrator
- Thread starter
- #10
Hi guys,
I don't have time to read all the other posts so this may be duplicated above, if so then sorry.
If you accept ANY credit card numbers, then you should really use SSL for a login as well as the actual login form.
The easiest way to acheive this is to use a link on the http site rather than a actual login box, something like My Account" works fine and people understand that.
When the user clicks on this link, take them to the SSL server and process all the data there.
Also, just incase you dont do this already, when the user logs in, show any stored bank or credit card with numbers missing, 1234-4567-xxxx etc.
This saves you the chance of a user gaining access and getting someones details. If you display the full data on screen and someone gets access to this, the user would have quite a good case against you in court.
Always make something as secure as possible, never comprimise security for performance.
Hope this helps Wullie
sales@freshlookdesign.co.uk
I don't have time to read all the other posts so this may be duplicated above, if so then sorry.
If you accept ANY credit card numbers, then you should really use SSL for a login as well as the actual login form.
The easiest way to acheive this is to use a link on the http site rather than a actual login box, something like My Account" works fine and people understand that.
When the user clicks on this link, take them to the SSL server and process all the data there.
Also, just incase you dont do this already, when the user logs in, show any stored bank or credit card with numbers missing, 1234-4567-xxxx etc.
This saves you the chance of a user gaining access and getting someones details. If you display the full data on screen and someone gets access to this, the user would have quite a good case against you in court.
Always make something as secure as possible, never comprimise security for performance.
Hope this helps Wullie
sales@freshlookdesign.co.uk
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question