A general question regarding SSL and login. Does it matter if a login form is not passed through SSL when sent to the user browser but the post action is? Will the password be sent through SSL in this case? -- Posted via http://www.ruby-forum.com/.
2009/6/8 Pål Bergström <rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org>:> > A general question regarding SSL and login. Does it matter if a login > form is not passed through SSL when sent to the user browser but the > post action is? Will the password be sent through SSL in this case?Both need to be wrapped in SSL for proper security. If the form is not SSL then people can do MITM attacks (among others) to get the username/password sent to the wrong server. -- Aaron Turner http://synfin.net/ http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin
Aaron Turner wrote:> Both need to be wrapped in SSL for proper security. If the form is > not SSL then people can do MITM attacks (among others) to get the > username/password sent to the wrong server. > >Thanks for the clarification. :-) -- Posted via http://www.ruby-forum.com/.
Aaron Turner wrote:> 2009/6/8 P�l Bergstr�m <rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org>: >> >> A general question regarding SSL and login. Does it matter if a login >> form is not passed through SSL when sent to the user browser but the >> post action is? Will the password be sent through SSL in this case? > > Both need to be wrapped in SSL for proper security. If the form is > not SSL then people can do MITM attacks (among others) to get the > username/password sent to the wrong server. >Besides that, users expect to see the lock (and https) on the page with the login form. I''d be leery of any site that contained a username/password that was not contained within a secure page. Plus there''s no good reason not to secure the login form''s page. -- Posted via http://www.ruby-forum.com/.
Robert Walker wrote:> Aaron Turner wrote:> Besides that, users expect to see the lock (and https) on the page with > the login form. I''d be leery of any site that contained a > username/password that was not contained within a secure page. Plus > there''s no good reason not to secure the login form''s page.A strong reason. I say the same. I hesitate if I don''t see the lock and https. -- Posted via http://www.ruby-forum.com/.