Form (in)Security?

Discussion in 'HTML' started by Sparticus, Nov 27, 2005.

  1. Sparticus

    Sparticus Guest

    Hello,

    I was looking at websites such as hotmail.com. If you notice when you
    go to hotmail.com and try and log in, it isn't a "secure site". I did
    notice that the 'form action' is sent to a secure site (ie. https).

    How does that help? Just because you send the form data to a secure
    site, the data is still sent in plain text to the secure site....
    right?

    Can someone explain what I am missing? Thanx a ton,

    Ryan Ritten
     
    Sparticus, Nov 27, 2005
    #1
    1. Advertising

  2. Sparticus wrote:
    > Hello,
    >
    > I was looking at websites such as hotmail.com. If you notice when you
    > go to hotmail.com and try and log in, it isn't a "secure site". I did
    > notice that the 'form action' is sent to a secure site (ie. https).
    >
    > How does that help? Just because you send the form data to a secure
    > site, the data is still sent in plain text to the secure site....
    > right?
    >
    > Can someone explain what I am missing? Thanx a ton,



    Believe so, the form with user/password should be access with https AND
    should post to https to encrypt the transmission. M$ *knows* security! ;-)

    --
    Take care,

    Jonathan
    -------------------
    LITTLE WORKS STUDIO
    http://www.LittleWorksStudio.com
     
    Jonathan N. Little, Nov 27, 2005
    #2
    1. Advertising

  3. Sparticus

    Sparticus Guest

    I just find it odd that a large company like hotmail wouldn't have some
    sort of password protection....

    does anyone else have any comments on this?
     
    Sparticus, Nov 27, 2005
    #3
  4. "Sparticus" <> wrote:

    > I was looking at websites such as hotmail.com. If you notice when you
    > go to hotmail.com and try and log in, it isn't a "secure site".


    The page containing the login form is indeed sent via http, not https.
    It doesn't really matter, except in the sense that people may have been
    misled into thinking that it does (and even look for a lock symbol to
    indicate "secure site"). The page is sent unencrypted, but who cares?
    It's publicly accessible anyway.

    > I did
    > notice that the 'form action' is sent to a secure site (ie. https).


    Indeed. That's what matters.

    > How does that help?


    By making data transmission from your browser to the server encrypted.

    > Just because you send the form data to a secure
    > site, the data is still sent in plain text to the secure site....
    > right?


    Wrong. It's the action attribute that matters, not the URL of the page
    containing the form. The action attribute determines the address to be used
    in the transaction where your data is sent.

    --
    Yucca, http://www.cs.tut.fi/~jkorpela/
    Pages about Web authoring: http://www.cs.tut.fi/~jkorpela/www.html
     
    Jukka K. Korpela, Nov 27, 2005
    #4
  5. Sparticus

    Sparticus Guest

    Hmm... so if that's the case, then when I click 'submit' on the
    website, the website must see that the form 'action' is a secure site.
    So when it see's this, it then makes a secure connection with that
    site... then it sends over the encrypted data?

    can anyone else verify this is how it works? I need to know because I
    am making a website that needs to have the password sent via a html
    form secure.

    I noticed when you go to bank websites, or even gmail (google's mail)
    the login page is already a secure site.

    That's why I'm wondering if there is something I'm missing.

    TIA

    Ryan Ritten
     
    Sparticus, Nov 27, 2005
    #5
  6. Sparticus wrote:

    > Hmm... so if that's the case, then when I click 'submit' on the
    > website, the website must see that the form 'action' is a secure site.
    > So when it see's this, it then makes a secure connection with that
    > site... then it sends over the encrypted data?
    >
    > can anyone else verify this is how it works?


    Yep, I do ;)

    > I need to know because I
    > am making a website that needs to have the password sent via a html
    > form secure.
    >
    > I noticed when you go to bank websites, or even gmail (google's mail)
    > the login page is already a secure site.
    >
    > That's why I'm wondering if there is something I'm missing.


    If the page containing the form is served using HTTPS, the user can see this
    (lock icon). The user won't see how his data is sent after submitting the
    form (some browsers tell you about it "... you are sending data
    unencrypted..." - but this message can be disabled) - a 'lock icon' for
    submit buttons might be a nice idea, but you'll have to tell this to
    browser manufacturers...

    User may feel more secure, if the document with the form has 'lock icon' -
    but thinking that this implies that their data is sent securely is wrong.

    You should tell the users that their data is sent encrypted (some people
    think the 'lock icon' does this job, but this is wrong as said above) -
    they have to trust you anyway, unless they analyse the document source
    themselves.

    --
    Benjamin Niemann
    Email: pink at odahoda dot de
    WWW: http://www.odahoda.de/
     
    Benjamin Niemann, Nov 28, 2005
    #6
  7. Sparticus wrote:

    > can anyone else verify this is how it works? I need to know because I
    > am making a website that needs to have the password sent via a html
    > form secure.
    >
    > I noticed when you go to bank websites, or even gmail (google's mail)
    > the login page is already a secure site.
    >
    > That's why I'm wondering if there is something I'm missing.


    Well, if you form already contains sensitive data (e.g. prefilled login name
    or even worse, prefilled password), it should be served as HTTPS. But you
    should not do it anyway, browsers can prefill the login data on their own -
    if the user thinks this is suffiently secure.

    --
    Benjamin Niemann
    Email: pink at odahoda dot de
    WWW: http://www.odahoda.de/
     
    Benjamin Niemann, Nov 28, 2005
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Aaron
    Replies:
    1
    Views:
    377
    John C. Bollinger
    Aug 4, 2003
  2. Marco
    Replies:
    1
    Views:
    2,451
    Roedy Green
    Jan 28, 2006
  3. Akram Baig
    Replies:
    0
    Views:
    350
    Akram Baig
    Apr 7, 2011
  4. Dinis Cruz

    Asp.Net Security Analyser (new security tool by DDPlus)

    Dinis Cruz, Oct 8, 2003, in forum: ASP .Net Security
    Replies:
    2
    Views:
    170
    Dinis Cruz
    Oct 11, 2003
  5. Michael Randrup
    Replies:
    3
    Views:
    339
    Henning Krause [MVP]
    Mar 27, 2006
Loading...

Share This Page