The Design of Software (CLOSED)

A public forum for discussing the design of software, from the user interface to the code architecture. Now closed.

The "Design of Software" discussion group has been merged with the main Joel on Software discussion group.

The archives will remain online indefinitely.

SSL/Forms/Login

If I have a form which is not https but which has an action to access a https method, will the information I send be secure?  It was my understanding that the form you were in needed to be https.

For example, check out http://www.chase.com

There is a user login in.  Because this form is not http (but the action is), will the username and password I submit be SSL protected?

Thanks,
Richard Gardner Send private email
Wednesday, December 12, 2007
 
 
Yes, the data that they submit will be encrypted, even if the form they're entering it on wasn't delivered to them encrypted.

However, most people have been trained to look for the secure "lock" icon on their browser, and may be hesitant to put personal data on a form that doesn't have it, so send the submission form via SSL as well so they're happy.
xampl
Wednesday, December 12, 2007
 
 
It will be protected as xampl said, but there's no guarantee that the unsecured page with the login form originated from a trusted source, or was not tampered with in transit.

Having an unsecured login page is bad practice for sensitive sites, period.  That doesn't mean it isn't featured in the wild quite a bit.
Pseudo Masochist Send private email
Wednesday, December 12, 2007
 
 
You can always create an iframe on your http-served page, with the login-form served over https. That way, the maority of the page will load fast (Which supposedly is why you would want to do anything like this), but still make the login-form secure.
Troels Knak-Nielsen Send private email
Wednesday, December 12, 2007
 
 

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
 
Powered by FogBugz