SSL/TLS provides integrity by ensuring that there has not been a compromise of the communication and the data in transit has not been tampered with. Why is this a problem? By loading a page over HTTP only to post to HTTPS, we lose one of the cornerstones of SSL/TLS, integrity. Our form will post to a secure endpoint as seen below:įinally, we can successfully, login after posting to the above secure route. a packet sniffer or running a wireless adapter that supports promiscuous mode such as Alpa AWUS036NH). Therefore, as long as we post the users credentials over HTTPS we won’t be exposing the data in plan view/text of anyone listening (e.g. There hasn’t been any sensitive data exchange in this simple GET for the login form over HTTP. On this site, the login landing page below is loaded insecurely over HTTP. To demonstrate the vulnerabilities that can be exploited on an insecure login landing page, I stood up a Microsoft Azure site. One of the most common problems is not serving the login landing page over HTTPS.ĭevelopers need to understand why it is important to serve the login landing page over HTTPS and how posting the user’s credentials over HTTPS is not enough. Setting up SSL/TLS on sites has gotten easier and cheaper, but it has always been the Achilles heel for a lot of web developers.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |