[FX.php List] Is https from within and http page safe?

Dale Bengston dale.bengston at gmail.com
Fri Jun 27 14:33:23 MDT 2014


I don’t know why more banking sites and shopping/heavily e-comm sites don’t just redirect http -> https when you arrive on their site. Heck, Facebook and Google do it. The consequences are low to nil for just putting the whole site behind SSL.

Dale

On Jun 27, 2014, at 3:18 PM, Steve Winter <steve at bluecrocodile.co.nz> wrote:

> Hi Tony
> 
> I agree with Troy (frankly only a fool wouldn't).
> 
> If the page is loaded via http then there is no way to guarantee that it hasn't been tampered with prior to its arrival in your browser. Both the origin and the destination must be encrypted for the transaction to be considered 'safe' (safe being an entirely relative term when it comes to the web ;-).
> 
> Happy Friday
> Steve
> 
> Steve Winter
> +44 777 852 4776
> 
> On 27 Jun 2014, at 20:20, Tony White <tony_white at twdesigns.com> wrote:
> 
>> Hi Web Experts,
>> 
>> Is https from within an http page safe?
>> After reading this...
>> 
>> Troy Hunt: SSL is not about encryption
>> http://www.troyhunt.com/2011/01/ssl-is-not-about-encryption.html
>> 
>> [begin excerpt]
>> Exploiting the HTTP to HTTPS pattern
>> 
>> The simplest way to illustrate the risk of this is by looking at a typical man-in-the-middle attack:
>> 
>> The attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.
>> [end excerpt]
>> 
>> ...I would say no.
>> 
>> What do you say?
>> 
>> TIA.
>> 
>> <image.png>
>> 
>> All the best,
>> 
>> 
>> Tony White
>> Tony White Designs, Inc.
>> Tel: 646-714-2797 (Google Voice)
>> Tel: 718-797-4175
>> tony_white at twdesigns.com
>> http://www.twdesigns.com
>> _______________________________________________
>> FX.php_List mailing list
>> FX.php_List at mail.iviking.org
>> http://www.iviking.org/mailman/listinfo/fx.php_list
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.iviking.org/pipermail/fx.php_list/attachments/20140627/79ea5388/attachment-0001.html


More information about the FX.php_List mailing list