Re: Growing Bad Practice with Login Forms

[Rogan Dawes <discard () dawes za net>]

Konstantin Ryabitsev wrote:

> On Tue, 2004-07-27 at 09:55 -0400, Mark Curphey wrote:
>
> > But at that point its too late. The check for server authentication is done
> > after I have sent by username and password. This IMHO is a bad practice that
> > has started to creep into other sites including online banking. 
>
>
> Not really. SSL verification is done before the HTTP headers are sent to
> the server (same reason why you can't have name-based SSL virtual
> hosting), so if there is SSL cert mismatch, your browser will alert you
> and if you cancel the connection then, the server won't see any of your
> data.
>
> In fact, presenting the login form on the SSL page won't win you
> anything, since there is no guarantee that you will submit your data to
> the same SSL-enabled server than the one that sent you the login form.

Not so. I assume that you trust the holder of the SSL cert that you 
verified prior to submitting your credentials, otherwise you would not 
do so ;-)

If they wanted to get your credentials, it is as easy to write an app on 
their own server, as it is to modify their page to send your credentials 
to a different server, and a lot less suspicious, too!

Rogan
--
Rogan Dawes

*ALL* messages to discard () dawes za net will be dropped, and added
to my blacklist. Please respond to "lists AT dawes DOT za DOT net"