WebApp Sec mailing list archives

Re: Defending users of unprotected login pages with TrustBar 0.4.9.93

From: Nathan Jackson-Eeles <c.cured () gmail com>
Date: Mon, 19 Sep 2005 14:36:07 +0200

On 19 Sep 2005 12:19:12 -0000, mike03051 () yahoo com <mike03051 () yahoo com> wrote:

Now the way I understand this should work is that the form target is a POST to https://url.com. The browsers is then 
required to open an SSL connection to the server and send the form data through the encrypted channel.

Maybe you or someone on this forum can confirm or correct my understanding.

Mike Peters


Mike,

You are correct, even though a site may have an http address, it
doesn't mean that the form will be sent over http. Paypal (for
example) uses the following in it's login form:
form method="post" name="login_form"
action="https://www.paypal.com/cgi-bin/webscr?cmd=_login-submit";

While the login details are sent securely, it doesn't do much for user
awareness!!

Regards,

Nathan Jackson-Eeles

Current thread:

Defending users of unprotected login pages with TrustBar 0.4.9.93 Amir Herzberg (Sep 19)
- <Possible follow-ups>
- Re: Defending users of unprotected login pages with TrustBar 0.4.9.93 mike03051 (Sep 19)
  - Re: Defending users of unprotected login pages with TrustBar 0.4.9.93 Nathan Jackson-Eeles (Sep 19)
- Re: Defending users of unprotected login pages with TrustBar 0.4.9.93 J. Lambrecht (Sep 19)
- Re: Re: Defending users of unprotected login pages with TrustBar 0.4.9.93 mike03051 (Sep 19)
  - Re: Re: Defending users of unprotected login pages with TrustBar 0.4.9.93 Peter Conrad (Sep 20)
- Re: Re: Defending users of unprotected login pages with TrustBar 0.4.9.93 mike03051 (Sep 20)