[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: https question



On Thursday July 22, 2004 at 11:07 a.m. "clangin@siu.edu"
<clangin@siu.edu> wrote:
>
> I notice that some "secure" sites are still
> in http when they ask for the username and password,
> and _then_ they go to https.
>
> Is the username and password encrypted before going
> to the https site?  Or should these web sites go
> to the https site, first, and then ask for the
> username and password?

Chet,

Darned good question. The answer is probably "it depends". On whether or
not the programmer really knew what he was doing. What matters is how
"submit"  is handled when you click on it. The first thing that *should*
happen is that an SSL/HTTPS link is opened to the web site doing the
username/password validation. The username and password should then be
passed over that secured link for processing. You probably won't be able
to detect when the mode change occurs just watching the padlock symbol in
the lower right hand corner of your browser.

I'm sure there are bonehead examples of where this is done in the reverse
order. Don't go there.

--Doc
Robert G. (Doc) Savage, BSE(EE), CISSP, RHCE | Fairview Heights, IL
Fedora Core 1 kernel 2.4.22-1.2188.nptl on P-III/M IBM Thinkpad A22p
"Perfection is the enemy of good enough."
                          -- Admiral of the Fleet Sergei G. Gorshkov

-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.