[FX.php List] When to start SSL on a site
Leo R. Lundgren
leo at finalresort.org
Thu Apr 8 08:24:19 MDT 2010
If I make a site that needs to be secured, and HTTPS is part of it, I
default to using HTTPS for the entire site. Why wait?
So in short; I rewrite/redirect HTTP to HTTPS in order to force the
latter.
Regarding the form; IMO it's vital that you don't output the login
form on a page that is insecure. Consider the possibility that an
attacker hijacks the insecure page on which the login form is, and
thereby managed to change the URL that the form targets.. In such a
situation it doesn't matter that the URL you *indended* the form to
target is secure, because the form itself isn't.
8 apr 2010 kl. 15.55 skrev Jonathan Schwartz:
> Hi Folks,
>
> Just thought I would throw this out...
>
> In creating a site that starts out with non-ssl content (5-6 pages)
> and offers a login to access ssl content, where do you switch over
> to the ssl content? Specifically, if the login form is embedded in
> all the non ssl pages (user can login from any of the non-ssl pages)
> and the form action points to a page on the ssl side for login
> validation, is this considered secure? I'm thinking not, but then
> how do you offer a secure login without making the entire site ssl/
> https?
>
> Thanks for listening.
>
> Jonathan
> --
> Jonathan Schwartz
> Exit 445 Group
> jonathan at exit445.com
> http://www.exit445.com
> 415-370-5011
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
-|
More information about the FX.php_List
mailing list