Re: [users@httpd] SSL / HTML question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2/6/06, Mark McCulligh <mmcculli@xxxxxxxxxxxxx> wrote:
> If you have a login html (http://www.ex.com/login.html) where the <form>
> action is to a https website (https://www.ex2.com/login_script.php).
> Will the login information be submitted encrypted. Or does the user
> first have to be on to the secure website before loggin in?
>
> Just wondering when you go from http(80) to https(443) when does the
> data start to be secured?

Each request is independent.  So when the user hits the "POST" button,
a new request is started to the https server that will carry the data
encrypted.

But this scheme is subject to man-in-the-middle attacks.  An attacker
with access to the wire could replace login.html with his own page
that looks the same but directs the POST to his own server.   So
unless you have users that always carefully examine the web page
source code, you should make the form ecrypted as well.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux