On Fri, 14 Jul 2006 10:43:44 +0100, Wilhelm Kutting <wk******@arcor.de>
wrote:
> HTTP = not secure, name and password sent without encryption
HTTPS = secure, name and password sent encrypted
Hope this helps
So if the loginform is http, the username and password is send via
cleartext.
No, the statement you were replying to is incorrect.
If the form is submitted to a HTTPS address (or a HTTP address that set to
use SSL/TLS) then the form data will arrive securely, but there is another
issue with using insecure login pages like this.
How do you know what data is being sent there securely, and what else is
being sent to other addresses? By using an insecure login page, or by
including insecure elements inside an HTTPS page (javascripts, iframes,
etc), you make it possible for the login page to be tampered with by third
parties. Malicious Javascript could be inserted to read users' login
credentials when they submit the form, and this could then be sent
elsewhere just before they go to the real login page. Or they could divert
the form submission to a page of their own (such as a fake site to try and
get more information - "Important message from your friendly service
provider - Your credit card information is now out of date, please
<a...>update it now</ato avoid problems, thank you.")
It's good practice to have both the login page and the page you submit to
fully secure (with everything in that page sent over HTTP from the same
server - including the Javascripts, images and even any adverts!). Some
sites don't like doing this because HTTPS pages use more server resources
and all the hits from random passers-by can increase the load, but in an
age where phising scams and identity theft are rife, everyone should be
doing it regardless.
Security is only as good as the weakest link in the chain, and an insecure
login page is open to attack just as much as any other insecure page.
Wherever your password and username end up, remember that they're typed
into that insecure page first.