A while back Troy Hunt talked about HTTP Login forms that post to HTTPS. The long story short is these are still unsecure. As a web developer, don't be fooled into thinking that just because you're POSTing to HTTPS that your customers are safe. No, you need to have an HTTPS login form/page or you're at risk. The HTTPS POST may prevent sniffing because the traffic is encrypted, but with an unsecure HTTP form posting to HTTPS you are still at risk for man-in-the-middle. With a man-in-the-middle the form action url could tampered with and changed so your credentials get posted to some attacker website instead of the real one.
Now finally FireFox will make this even clearer by warning users if they're logging in with on a website with this insecure configuration.
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
No comments:
Post a Comment