Topic awaiting preservation: When does SSL Matter? (Page 1 of 1) $Pages that link to <a href="https://ozoneasylum.com/backlink?for=28291" title="Pages that link to Topic awaiting preservation: When does SSL Matter? (Page 1 of 1)" rel="nofollow" >Topic awaiting preservation: When does SSL Matter? <span class="small">(Page 1 of 1)</span>\$

H][RO Paranoid (IV) Inmate From: Australia Insane since: Oct 2002	posted 08-03-2006 08:05 I was just wonder at what point SSL is required. If i have a login form for username/password and want the data to be encrypted, does the page with the login form need to be SSL or just the target of the form? I am assuming that the form itself needs to be encrypted since you are effectively sending that information TO The SLL form target, so from the form to the SSL script which handles it would be unprotected. Can anyone clarify this?
Tyberius Prime Maniac (V) Mad Scientist with Finglongers From: Germany Insane since: Sep 2001	posted 08-03-2006 09:05 No, the form would not need to be encrypted, since indeed you only send the data to the target. So the target needs ssl, the form doesn't. But who would believe your form target is encrypted when your form isn't? Plus, it's kinda bad to send a form to a different server than it came from.
H][RO Paranoid (IV) Inmate From: Australia Insane since: Oct 2002	posted 08-03-2006 09:52 Ahh i think you are misunderstanding my intentions! I dont want to send it to another server, but I have a couple of options. In general you dont want your entire website to be SSL because it will be slower, but you might want a login panel down the side so someone can enter their details and press login. This way you dont have to send them to a SSL login form and then submit. If it works as you say it does then its fine, you can still have an unsecure form on your http website, send to the https login script to log you in. Its very possibly the way most sites do it anyway, i was just making sure. A lot of major sites have a little login box in the corner of their site even though the page is not SSL.
DmS Maniac (V) Inmate From: Sthlm, Sweden Insane since: Oct 2000	posted 08-03-2006 11:46 What you can't do is to have a section of you page over SSL and the rest unsecure. Even though it is possibe to load for example images over http and html over https the user will be presented with a warning that there is mixed secure and unsecure content, Imho that's untrustworthy. You can have an unsecure formpage that submits over https to a sercure page, note that the user probably will recieve warnings that you are changing mode, but that's a lot better than mixed content. What we do is to have different sections that are secured, those that require login, personal info, account etc. Non-personal info that does not require a secure connection is served over http unless you are logged in. Our loginforms are normaly on https pages, with login-links leading to the actual forms to avoid warnings etc. Which way you should go is imho totally based on what type of information you are handling for the customer, how sensitive it is. Account and monetary data doubtless over https with bought valid certificates, no question! Normal personal configurationchoices, ssettings etc are a lot less sensitive. Step back to yourself and ask what you would need to trust things But unless you have a high traffic site there should be no real problems to run accountpages over SSL and the rest over http. /Dan / I'm a ginio.....genios......genu......smart person! / {cell 260} {Blog} -{ Sleep: A common physical disorder that manifests itself as the level of blood in the caffeine circulation exeeds 20% }-
H][RO Paranoid (IV) Inmate From: Australia Insane since: Oct 2002	posted 08-03-2006 13:17 Yeh in the past i have had the form page as SSL, i just wondered about it since i see so many websites where the login form isnt on https. Will have to see if they get a warning when submitting the form, i didnt think they would - i know you get them when using non SSL images etc. The other thing to consider... lets say im using javascript to log the user in with XMLHttpRequest, this would mean i can have my http page, and the XMLHttpRequest requests a HTTPS page. Would that situation send the data securely? In essence its the same thing so i guess it should.
HZR Paranoid (IV) Inmate From: Cold Sweden Insane since: Jul 2002	posted 08-03-2006 16:11 Yngve Nysæter, which is a developer on Opera with responsibilities such as HTTP and SSL, recently wrote a blog post about this. quote: Sites pretending to be secure [...] One category of sites put the login field on an unsecured server, e.g. the front page (very popular with some banks), and claims that this is secure because the credentials are sent securely to the server, ignoring the fact that the unsecured form could be modified by anyone with the ability to listen in on your network connection, or that it is no easy way to detect the tampering. You can read the full post here: http://my.opera.com/yngve/blog/show.dml/382945 (Edited by HZR on 08-03-2006 16:12)
HZR Paranoid (IV) Inmate From: Cold Sweden Insane since: Jul 2002	posted 08-03-2006 20:39 quote: The other thing to consider... lets say im using javascript to log the user in with XMLHttpRequest, this would mean i can have my http page, and the XMLHttpRequest requests a HTTPS page. This is currently not possible in any browser as far as I know. The XMLHttpRequest specification, which is currently being written, also forbids this, so it will not be possible in the future. quote: [...] [T]he implementation should only allow a page loaded from website A to access other pages on the same website. [...] [S]eparate protocols (like http vs. https) are considered as separate websites. -- http://www.w3.org/TR/XMLHttpRequest/#security (Edited by HZR on 08-03-2006 20:40)
H][RO Paranoid (IV) Inmate From: Australia Insane since: Oct 2002	posted 08-04-2006 03:48 Yeh I wasnt sure about that actually, however im not sure thats correct. I will have to try it when i get my ssl cert installed. Have read alot of mixed reports on using XMLHttpRequest with SSL and it seems alot of people have it working. Either way it doesn't matter, i hadn't intending on doing this, was just curious about it. I think i will have my unsecure login box with an additional link to "Secure Login" for the servers that have SSL installed

Topic awaiting preservation: When does SSL Matter? (Page 1 of 1) $Pages that link to <a href="https://ozoneasylum.com/backlink?for=28291" title="Pages that link to Topic awaiting preservation: When does SSL Matter? (Page 1 of 1)" rel="nofollow" >Topic awaiting preservation: When does SSL Matter? <span class="small">(Page 1 of 1)</span>\$

H][RO
Paranoid (IV) Inmate

From: Australia
Insane since: Oct 2002

posted 08-03-2006 08:05

I was just wonder at what point SSL is required.

If i have a login form for username/password and want the data to be encrypted, does the page with the login form need to be SSL or just the target of the form?

I am assuming that the form itself needs to be encrypted since you are effectively sending that information TO The SLL form target, so from the form to the SSL script which handles it would be unprotected.

Can anyone clarify this?

Tyberius Prime
Maniac (V) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

posted 08-03-2006 09:05

No, the form would not need to be encrypted, since indeed you only send the data to the target.
So the target needs ssl, the form doesn't.

But who would believe your form target is encrypted when your form isn't?
Plus, it's kinda bad to send a form to a different server than it came from.

H][RO
Paranoid (IV) Inmate

From: Australia
Insane since: Oct 2002

posted 08-03-2006 09:52

Ahh i think you are misunderstanding my intentions!

I dont want to send it to another server, but I have a couple of options. In general you dont want your entire website to be SSL because it will be slower, but you might want a login panel down the side so someone can enter their details and press login. This way you dont have to send them to a SSL login form and then submit.

If it works as you say it does then its fine, you can still have an unsecure form on your http website, send to the https login script to log you in.

Its very possibly the way most sites do it anyway, i was just making sure. A lot of major sites have a little login box in the corner of their site even though the page is not SSL.

DmS
Maniac (V) Inmate

From: Sthlm, Sweden
Insane since: Oct 2000

posted 08-03-2006 11:46

What you can't do is to have a section of you page over SSL and the rest unsecure.
Even though it is possibe to load for example images over http and html over https the user will be presented with a warning that there is mixed secure and unsecure content, Imho that's untrustworthy.

You can have an unsecure formpage that submits over https to a sercure page, note that the user probably will recieve warnings that you are changing mode, but that's a lot better than mixed content.

What we do is to have different sections that are secured, those that require login, personal info, account etc. Non-personal info that does not require a secure connection is served over http unless you are logged in.

Our loginforms are normaly on https pages, with login-links leading to the actual forms to avoid warnings etc.

Which way you should go is imho totally based on what type of information you are handling for the customer, how sensitive it is. Account and monetary data doubtless over https with bought valid certificates, no question!
Normal personal configurationchoices, ssettings etc are a lot less sensitive.

Step back to yourself and ask what you would need to trust things
But unless you have a high traffic site there should be no real problems to run accountpages over SSL and the rest over http.
/Dan

*/ I'm a ginio.....genios......genu......smart person! /*

{cell 260} {Blog}
-{ Sleep: A common physical disorder that manifests itself as the level of blood in the caffeine circulation exeeds 20% }-

H][RO
Paranoid (IV) Inmate

From: Australia
Insane since: Oct 2002

posted 08-03-2006 13:17

Yeh in the past i have had the form page as SSL, i just wondered about it since i see so many websites where the login form isnt on https.

Will have to see if they get a warning when submitting the form, i didnt think they would - i know you get them when using non SSL images etc.

The other thing to consider... lets say im using javascript to log the user in with XMLHttpRequest, this would mean i can have my http page, and the XMLHttpRequest requests a HTTPS page.

Would that situation send the data securely? In essence its the same thing so i guess it should.

HZR
Paranoid (IV) Inmate

From: Cold Sweden
Insane since: Jul 2002

posted 08-03-2006 16:11

Yngve Nysæter, which is a developer on Opera with responsibilities such as HTTP and SSL, recently wrote a blog post about this.

quote:
Sites pretending to be secure
[...]
One category of sites put the login field on an unsecured server, e.g. the front page (very popular with some banks), and claims that this is secure because the credentials are sent securely to the server, ignoring the fact that the unsecured form could be modified by anyone with the ability to listen in on your network connection, or that it is no easy way to detect the tampering.

You can read the full post here: http://my.opera.com/yngve/blog/show.dml/382945

(Edited by HZR on 08-03-2006 16:12)

HZR
Paranoid (IV) Inmate

From: Cold Sweden
Insane since: Jul 2002

posted 08-03-2006 20:39

quote:
The other thing to consider... lets say im using javascript to log the user in with XMLHttpRequest, this would mean i can have my http page, and the XMLHttpRequest requests a HTTPS page.

This is currently not possible in any browser as far as I know. The XMLHttpRequest specification, which is currently being written, also forbids this, so it will not be possible in the future.

quote:
[...] [T]he implementation should only allow a page loaded from website A to access other pages on the same website. [...] [S]eparate protocols (like http vs. https) are considered as separate websites.

-- http://www.w3.org/TR/XMLHttpRequest/#security

(Edited by HZR on 08-03-2006 20:40)

H][RO
Paranoid (IV) Inmate

From: Australia
Insane since: Oct 2002

posted 08-04-2006 03:48

Yeh I wasnt sure about that actually, however im not sure thats correct. I will have to try it when i get my ssl cert installed.

Have read alot of mixed reports on using XMLHttpRequest with SSL and it seems alot of people have it working. Either way it doesn't matter, i hadn't intending on doing this, was just curious about it.

I think i will have my unsecure login box with an additional link to "Secure Login" for the servers that have SSL installed