SSL before or after submit?

paulbutcher · June 8, 2009, 2:02pm

A general question regarding SSL and login. Does it matter if a login
form is not passed through SSL when sent to the user browser but the
post action is? Will the password be sent through SSL in this case?

paulbutcher · June 8, 2009, 7:04pm

2009/6/8 Pål Bergström [email protected]:

A general question regarding SSL and login. Does it matter if a login
form is not passed through SSL when sent to the user browser but the
post action is? Will the password be sent through SSL in this case?

Both need to be wrapped in SSL for proper security. If the form is
not SSL then people can do MITM attacks (among others) to get the
username/password sent to the wrong server.

–
Aaron T.
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix &
Windows
Those who would give up essential Liberty, to purchase a little
temporary
Safety, deserve neither Liberty nor Safety.
– Benjamin Franklin

paulbutcher · June 8, 2009, 7:10pm

Aaron T. wrote:

Both need to be wrapped in SSL for proper security. If the form is
not SSL then people can do MITM attacks (among others) to get the
username/password sent to the wrong server.

Thanks for the clarification.

paulbutcher · June 8, 2009, 8:20pm

Aaron T. wrote:

2009/6/8 Pï¿½l Bergstrï¿½m [email protected]:

A general question regarding SSL and login. Does it matter if a login
form is not passed through SSL when sent to the user browser but the
post action is? Will the password be sent through SSL in this case?

Both need to be wrapped in SSL for proper security. If the form is
not SSL then people can do MITM attacks (among others) to get the
username/password sent to the wrong server.

Besides that, users expect to see the lock (and https) on the page with
the login form. I’d be leery of any site that contained a
username/password that was not contained within a secure page. Plus
there’s no good reason not to secure the login form’s page.

paulbutcher · June 8, 2009, 9:08pm

Robert W. wrote:

Aaron T. wrote:

Besides that, users expect to see the lock (and https) on the page with
the login form. I’d be leery of any site that contained a
username/password that was not contained within a secure page. Plus
there’s no good reason not to secure the login form’s page.

A strong reason. I say the same. I hesitate if I don’t see the lock and
https.