WebApp Sec mailing list archives
Re: Defending users of unprotected login pages with TrustBar 0.4.9.93
From: Nathan Jackson-Eeles <c.cured () gmail com>
Date: Mon, 19 Sep 2005 14:36:07 +0200
On 19 Sep 2005 12:19:12 -0000, mike03051 () yahoo com <mike03051 () yahoo com> wrote:
Now the way I understand this should work is that the form target is a POST to https://url.com. The browsers is then required to open an SSL connection to the server and send the form data through the encrypted channel. Maybe you or someone on this forum can confirm or correct my understanding. Mike Peters
Mike, You are correct, even though a site may have an http address, it doesn't mean that the form will be sent over http. Paypal (for example) uses the following in it's login form: form method="post" name="login_form" action="https://www.paypal.com/cgi-bin/webscr?cmd=_login-submit" While the login details are sent securely, it doesn't do much for user awareness!! Regards, Nathan Jackson-Eeles
Current thread:
- Defending users of unprotected login pages with TrustBar 0.4.9.93 Amir Herzberg (Sep 19)
- <Possible follow-ups>
- Re: Defending users of unprotected login pages with TrustBar 0.4.9.93 mike03051 (Sep 19)
- Re: Defending users of unprotected login pages with TrustBar 0.4.9.93 Nathan Jackson-Eeles (Sep 19)
- Re: Defending users of unprotected login pages with TrustBar 0.4.9.93 J. Lambrecht (Sep 19)
- Re: Re: Defending users of unprotected login pages with TrustBar 0.4.9.93 mike03051 (Sep 19)
- Re: Re: Defending users of unprotected login pages with TrustBar 0.4.9.93 Peter Conrad (Sep 20)
- Re: Re: Defending users of unprotected login pages with TrustBar 0.4.9.93 mike03051 (Sep 20)