Re: is this webpage secure?

From: Newsbox (nospam_for_me_please_at_thanks.invalid)
Date: 11/29/05 

Date: Tue, 29 Nov 2005 13:25:33 -0500

On Tue, 29 Nov 2005 23:26:32 +0530, Dr Balwinder Singh Dheeman wrote:

> Proteus wrote:
>> I am told by people in charge at the campus where I teach that this login
>> page is secure, that the form login info (username, password) is secure
>> when sent. But the browser page (Firefox, Mandriva Linux) info says the
>> page is not encrypted, not secure. Can someone clarify how such a login
>> page can securely transmit the login info? Link to login page is below:
>> http://www.lsc.edu/Online/VirtualCampusLogin.cfm
>
> No, I don't think; you are sending clear text data via _http_ (port 80),
> where as URL's for secure pages send encrypted data via _https_ (http
> via ssl, port 443).
>
> You can verify/confirm it by capturing data on port 80 and, or 443 with
> help of tcpdump(8) and, or ethereal(1).

I have come across similar "secure" logins on non-secure pages, also
questioned and was reassured, and did capture what was actually
transmitted. It was in fact encrypted, in the case that I looked at. I
suspect that each such case of importance needs individual examination.
It seems there are different ways to divide a page into secure and
non-secure parts, ie. with frames or scripts.

The question that remains in my mind is why anyone would bother with the
additional complexities involved in doing so, along with all the new
possible sources of error and insecurity, especially for a simple login
page. I'm sure those who write these pages have their reasons, but it
seems like a bad idea to me.

Relevant Pages

  • Re: is this webpage secure?
    ... >> I am told by people in charge at the campus where I teach that this login ... >> page is secure, that the form login info is secure ... I have come across similar "secure" logins on non-secure pages, ...
    (comp.os.linux.security)
  • Re: Is .NET Passport credential traffic secure?
    ... my point is that you must FIRST establish a secure connection to ... user instead of making the login page itself secured with SSL so the ... The "Sign In" page at eBay submits the form data ... HTTPS site: Allowing the site to generate the HTML content in the page ...
    (microsoft.public.security)
  • Re: Ace Password Sniffer : How does it work ?
    ... >> Another protocol that offers same is IPSec. ... >> authentication and secure transfer of data between server and client ... >> would be pretty hard to use SSL to secure data exchanged between ... Once you are done with the secured login, ...
    (microsoft.public.security)
  • LOGIN INFO secure at wwww.americanexpress.CA?
    ... secure page which causes the lock symbol to be displayed in the status ... That is the difference which caused the login page ... even though the page itself is not https. ... of a lock in the login region. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: How do I protect my login page from prying eyes (forms authentication)?
    ... Sure, do this if you want to, but I'd rather devote time and energy to making my site secure even if someone discovers the "protected" site. ... Once it's out in the open (and if it's believed the contents are high valued, and people suspect that you've hidden the login page as a security measure), you may be *more* likely to be attacked. ... This means that when the site owner prints an invoice, the URL of this page will be shown in the footer. ...
    (microsoft.public.dotnet.framework.aspnet)