Re: is this webpage secure?

From: Jeffrey F. Bloss (jbloss_at_tampabay.mapson.rr.com)
Date: 11/29/05 

Date: Tue, 29 Nov 2005 18:18:46 GMT

Dr Balwinder Singh Dheeman wrote:

> Proteus wrote:
>> I am told by people in charge at the campus where I teach that this
>> login page is secure, that the form login info (username, password) is
>> secure when sent. But the browser page (Firefox, Mandriva Linux) info
>> says the page is not encrypted, not secure. Can someone clarify how such
>> a login page can securely transmit the login info? Link to login page is
>> below: http://www.lsc.edu/Online/VirtualCampusLogin.cfm
>
> No, I don't think; you are sending clear text data via _http_ (port 80),
> where as URL's for secure pages send encrypted data via _https_ (http via
> ssl, port 443).

Just to clarify, the login form is built this way...

<form action="https://lsc.ims.mnscu.edu/d2l/Tools/login/doLogin.asp"
method="post" ... >

doLogin.asp is essentially a bit of JavaScript that does this among other
things...

    form.action = 'https://lsc.ims.mnscu.edu';
    [...]
    form.submit();

A secure connection is negotiated before any form data is submitted, so
nothing but the form and the login script is sent in the clear, to the
site's visitor. No names or passwords or anything go back the other way
unencrypted.

FWIW, I did packet capture a (failed) session just to make sure nothing
was broken. ;) 

-- 
     _?_      Outside of a dog, a book is a man's best friend.
    (@ @)         Inside of a dog, it's too dark to read.
-oOO-(_)--OOo-------------------------------[ Groucho Marx ]--
    grok!              Registered Linux user #402208

Relevant Pages

  • Re: Is .NET Passport credential traffic secure?
    ... my point is that you must FIRST establish a secure connection to ... user instead of making the login page itself secured with SSL so the ... The "Sign In" page at eBay submits the form data ... HTTPS site: Allowing the site to generate the HTML content in the page ...
    (microsoft.public.security)
  • Re: Ace Password Sniffer : How does it work ?
    ... >> Another protocol that offers same is IPSec. ... >> authentication and secure transfer of data between server and client ... >> would be pretty hard to use SSL to secure data exchanged between ... Once you are done with the secured login, ...
    (microsoft.public.security)
  • LOGIN INFO secure at wwww.americanexpress.CA?
    ... secure page which causes the lock symbol to be displayed in the status ... That is the difference which caused the login page ... even though the page itself is not https. ... of a lock in the login region. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: How do I protect my login page from prying eyes (forms authentication)?
    ... Sure, do this if you want to, but I'd rather devote time and energy to making my site secure even if someone discovers the "protected" site. ... Once it's out in the open (and if it's believed the contents are high valued, and people suspect that you've hidden the login page as a security measure), you may be *more* likely to be attacked. ... This means that when the site owner prints an invoice, the URL of this page will be shown in the footer. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: is this webpage secure?
    ... > page is secure, that the form login info is secure ... Can someone clarify how such a login ...
    (comp.os.linux.security)