Form (in)Security?

[Sparticus]

Hello,

I was looking at websites such as hotmail.com. If you notice when you
go to hotmail.com and try and log in, it isn't a "secure site". I did
notice that the 'form action' is sent to a secure site (ie. https).

How does that help? Just because you send the form data to a secure
site, the data is still sent in plain text to the secure site....
right?

Can someone explain what I am missing? Thanx a ton,

Ryan Ritten

 

[Jonathan N. Little]

Hello,

I was looking at websites such as hotmail.com. If you notice when you
go to hotmail.com and try and log in, it isn't a "secure site". I did
notice that the 'form action' is sent to a secure site (ie. https).

How does that help? Just because you send the form data to a secure
site, the data is still sent in plain text to the secure site....
right?

Can someone explain what I am missing? Thanx a ton,

Believe so, the form with user/password should be access with https AND
should post to https to encrypt the transmission. M$ *knows* security! ;-)

 

[Sparticus]

I just find it odd that a large company like hotmail wouldn't have some
sort of password protection....

does anyone else have any comments on this?

 

[Jukka K. Korpela]

I was looking at websites such as hotmail.com. If you notice when you
go to hotmail.com and try and log in, it isn't a "secure site".

The page containing the login form is indeed sent via http, not https.
It doesn't really matter, except in the sense that people may have been
misled into thinking that it does (and even look for a lock symbol to
indicate "secure site"). The page is sent unencrypted, but who cares?
It's publicly accessible anyway.

I did
notice that the 'form action' is sent to a secure site (ie. https).

Indeed. That's what matters.

How does that help?

By making data transmission from your browser to the server encrypted.

Just because you send the form data to a secure
site, the data is still sent in plain text to the secure site....
right?

Wrong. It's the action attribute that matters, not the URL of the page
containing the form. The action attribute determines the address to be used
in the transaction where your data is sent.

 

[Sparticus]

Hmm... so if that's the case, then when I click 'submit' on the
website, the website must see that the form 'action' is a secure site.
So when it see's this, it then makes a secure connection with that
site... then it sends over the encrypted data?

can anyone else verify this is how it works? I need to know because I
am making a website that needs to have the password sent via a html
form secure.

I noticed when you go to bank websites, or even gmail (google's mail)
the login page is already a secure site.

That's why I'm wondering if there is something I'm missing.

TIA

Ryan Ritten

 

[Benjamin Niemann]

Hmm... so if that's the case, then when I click 'submit' on the
website, the website must see that the form 'action' is a secure site.
So when it see's this, it then makes a secure connection with that
site... then it sends over the encrypted data?

can anyone else verify this is how it works?

Yep, I do

I need to know because I
am making a website that needs to have the password sent via a html
form secure.

I noticed when you go to bank websites, or even gmail (google's mail)
the login page is already a secure site.

That's why I'm wondering if there is something I'm missing.

If the page containing the form is served using HTTPS, the user can see this
(lock icon). The user won't see how his data is sent after submitting the
form (some browsers tell you about it "... you are sending data
unencrypted..." - but this message can be disabled) - a 'lock icon' for
submit buttons might be a nice idea, but you'll have to tell this to
browser manufacturers...

User may feel more secure, if the document with the form has 'lock icon' -
but thinking that this implies that their data is sent securely is wrong.

You should tell the users that their data is sent encrypted (some people
think the 'lock icon' does this job, but this is wrong as said above) -
they have to trust you anyway, unless they analyse the document source
themselves.

 

[Benjamin Niemann]

can anyone else verify this is how it works? I need to know because I
am making a website that needs to have the password sent via a html
form secure.

I noticed when you go to bank websites, or even gmail (google's mail)
the login page is already a secure site.

That's why I'm wondering if there is something I'm missing.

Well, if you form already contains sensitive data (e.g. prefilled login name
or even worse, prefilled password), it should be served as HTTPS. But you
should not do it anyway, browsers can prefill the login data on their own -
if the user thinks this is suffiently secure.