Re: [users@httpd] SSL / HTML question

Mon, 06 Feb 2006 13:05:31 -0800 

Joshua Slive wrote:


On 2/6/06, Mark McCulligh <[EMAIL PROTECTED]> wrote:

If you have a login html (http://www.ex.com/login.html) where the <form>
action is to a https website (https://www.ex2.com/login_script.php).
Will the login information be submitted encrypted. Or does the user
first have to be on to the secure website before loggin in?

Just wondering when you go from http(80) to https(443) when does the
data start to be secured?


Each request is independent.  So when the user hits the "POST" button,
a new request is started to the https server that will carry the data
encrypted.
But this scheme is subject to man-in-the-middle attacks.  An attacker
with access to the wire could replace login.html with his own page
that looks the same but directs the POST to his own server.   So
unless you have users that always carefully examine the web page
source code, you should make the form ecrypted as well.

Thanks Joshua, just what I wanted to know.
In short what I am doing is I have a couple static websites and one secure website they can login in to manage their website. The clients want the login form on their website and I don't what to purchase multiple SSL just for the login form. The client should alway be logging in on their website for I hope they reallize if they where not on their website. But as we all know users can be stupid or though emails ask you to click here to verify your credit card wouldn't still be out there. 

Mark.


Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




--
___________________________________________
Mark McCulligh, Web Consultant
VisualTech Components www.VisualTech.ca
[EMAIL PROTECTED]
(519)318-7905


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to