Welcome to HostingForumz.com!
FAQFAQ      ProfileProfile    Private MessagesPrivate Messages   Log inLog in

Security question -- am I correct or are they?

  
   Web Hosting Problem Solving Community! (Home) -> Webmaster RSS
Next:  Staff needed  
Author Message
alex3

External


Since: Mar 23, 2004
Posts: 35



(Msg. 1) Posted: Tue Apr 06, 2004 12:56 pm
Post subject: Security question -- am I correct or are they?
Archived from groups: alt>www>webmaster (more info?)
Hi all,

It has always been my understanding that if a form is submitted from a nonsecure
page, even if the recipient page is secure, that the text as it's initially
transmitted is unsecure. Example, and Associate of mine was visiting the Texas
State Board of Pharmacy website and noticed the login form was not secure.
Below are the steps on visiting this page:

Goto http://www.tsbp.state.tx.us/
Click Texas On-Line Pharmacists (left column, second from bottom)
Click Continue (bottom of page)
Brings you to http://texasonline.state.tx.us/NASApp/tsbp/TsbpphstLRManager

This delivers you to a login which asks for license number and SS number on an
insecure page (http instead of https). I contacted the web designer, and they
said since the target page for the form is secure, the form contents are being
sent securely. From my experience this is incorrect... changing the initial
form to https over http is the only way of making this secure from the get go.
Am I wrong? If an unsecure form is submitted to a secure page, are the contents
of that form secure?

Something else that bothered me was they said another reason they do not
initially link to a secure form is because of browser speeds and server
performance. This I don't understand.

Comments? I'm telling our Associates who visit this page to change the initial
from to https instead of http, which does work since they have a valid Verisign
SSL.

Thanks for any comments or resources on this topic,

Alex.

 >> Stay informed about: Security question -- am I correct or are they? 
Back to top
Login to vote
spamblocked1

External


Since: Sep 19, 2003
Posts: 3499



(Msg. 2) Posted: Tue Apr 06, 2004 7:01 pm
Post subject: Re: Security question -- am I correct or are they? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Alex wrote:
 > ...
 > Something else that bothered me was they said another reason they do
 > not initially link to a secure form is because of browser speeds and
 > server performance. This I don't understand.

The encryption algos use cpu-clicks on both the server and the client.
Also, it is my understanding that the result of encryption is larger than
the original.

--
William Tasso<!-- ~MESSAGE_AFTER~ -->

 >> Stay informed about: Security question -- am I correct or are they? 
Back to top
Login to vote
alex3

External


Since: Mar 23, 2004
Posts: 35



(Msg. 3) Posted: Tue Apr 06, 2004 7:01 pm
Post subject: Re: Security question -- am I correct or are they? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
William Tasso wrote:

 > Alex wrote:
 >
  >>...
  >>Something else that bothered me was they said another reason they do
  >>not initially link to a secure form is because of browser speeds and
  >>server performance. This I don't understand.
 >
 >
 > The encryption algos use cpu-clicks on both the server and the client.
 > Also, it is my understanding that the result of encryption is larger than
 > the original.
 >

Hi William,

You are correct in that SSL does add a few clock cycles over plain text, but
using standard http over https for the login when the rest of the session is
https seems like a minor waste for a better scense of security for the user.

Also, I did some tests and ran Ethereal while logging into the site from the
unsecured page, and I think I was indeed wrong. I started Ethereal, visited the
unsecure login page, typed some bogus numbers in, and submitted. I saved the
packets to a text file and scanned for what I typed in.... wasn't there. I
checked this by visiting another page with a non-secure form and that did
show-up in my packet scan. So I guess as long as the page you're submitting to
is secure, whether the initial form is secure or not, your data will be encrypted.

Learn something new every day Smile But I'd still make that first page secure if
for no other reason a piece of mind for the users.

Take care,

Alex.<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Security question -- am I correct or are they? 
Back to top
Login to vote
spam3

External


Since: Jul 01, 2003
Posts: 411



(Msg. 4) Posted: Tue Apr 06, 2004 7:01 pm
Post subject: Re: Security question -- am I correct or are they? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Alex wrote:
....
 > So I guess as
 > long as the page you're submitting to is secure, whether the initial
 > form is secure or not, your data will be encrypted.
 >
 > Learn something new every day Smile But I'd still make that first page
 > secure if for no other reason a piece of mind for the users.

This is correct... When connecting to an SSL-secured service (ssh, scp,
https, etc.) the connection is first initiated with the handshake, then
further transmissions are encrypted. However, you do see that many
websites have even the form that posts the encrypted data on the SSL
side of things because most people don't understand that it is the
*submission* is the only part that needs securing.<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Security question -- am I correct or are they? 
Back to top
Login to vote
spamblocked1

External


Since: Sep 19, 2003
Posts: 3499



(Msg. 5) Posted: Tue Apr 06, 2004 9:08 pm
Post subject: Re: Security question -- am I correct or are they? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Alex wrote:
 > William Tasso wrote:
 >
  >> Alex wrote:
  >>
   >>> ...
   >>> Something else that bothered me was they said another reason they do
   >>> not initially link to a secure form is because of browser speeds and
   >>> server performance. This I don't understand.
  >>
  >>
  >> The encryption algos use cpu-clicks on both the server and the
  >> client. Also, it is my understanding that the result of encryption
  >> is larger than the original.
  >>
 >
 > Hi William,
 >
 > You are correct in that SSL does add a few clock cycles over plain
 > text, but using standard http over https for the login when the rest
 > of the session is https seems like a minor waste for a better scense
 > of security for the user.

May not be insignificant if you have many page visits and a login form on
each page. As always with these things ... YMMV. I guess it depends on the
nature of the site.

 > Also, I did some tests and ran Ethereal while logging into the site
 > from the unsecured page, and I think I was indeed wrong. I started
 > Ethereal, visited the unsecure login page, typed some bogus numbers
 > in, and submitted. I saved the packets to a text file and scanned
 > for what I typed in.... wasn't there. I checked this by visiting
 > another page with a non-secure form and that did show-up in my packet
 > scan. So I guess as long as the page you're submitting to is secure,
 > whether the initial form is secure or not, your data will be
 > encrypted.

Useful info - thanks. I didn't answer the rest of your post because I
wasn't sure.

 > Learn something new every day Smile But I'd still make that first page
 > secure if for no other reason a piece of mind for the users.

If they care, they will ask and find out - like you did ;o)

One more for the 'things I know' bin.
--
William Tasso<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Security question -- am I correct or are they? 
Back to top
Login to vote
alex3

External


Since: Mar 23, 2004
Posts: 35



(Msg. 6) Posted: Tue Apr 06, 2004 9:08 pm
Post subject: Re: Security question -- am I correct or are they? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
William Tasso wrote:

 > Alex wrote:
 >
  >>William Tasso wrote:
  >>
  >>
   >>>Alex wrote:
   >>>
   >>>
   >>>>...
   >>>>Something else that bothered me was they said another reason they do
   >>>>not initially link to a secure form is because of browser speeds and
   >>>>server performance. This I don't understand.
   >>>
   >>>
   >>>The encryption algos use cpu-clicks on both the server and the
   >>>client. Also, it is my understanding that the result of encryption
   >>>is larger than the original.
   >>>
  >>
  >>Hi William,
  >>
  >>You are correct in that SSL does add a few clock cycles over plain
  >>text, but using standard http over https for the login when the rest
  >>of the session is https seems like a minor waste for a better scense
  >>of security for the user.
 >
 >
 > May not be insignificant if you have many page visits and a login form on
 > each page. As always with these things ... YMMV. I guess it depends on the
 > nature of the site.
 >
 >
  >>Also, I did some tests and ran Ethereal while logging into the site
  >>from the unsecured page, and I think I was indeed wrong. I started
  >>Ethereal, visited the unsecure login page, typed some bogus numbers
  >>in, and submitted. I saved the packets to a text file and scanned
  >>for what I typed in.... wasn't there. I checked this by visiting
  >>another page with a non-secure form and that did show-up in my packet
  >>scan. So I guess as long as the page you're submitting to is secure,
  >>whether the initial form is secure or not, your data will be
  >>encrypted.
 >
 >
 > Useful info - thanks. I didn't answer the rest of your post because I
 > wasn't sure.
 >
 >
  >>Learn something new every day Smile But I'd still make that first page
  >>secure if for no other reason a piece of mind for the users.
 >
 >
 > If they care, they will ask and find out - like you did ;o)
 >
 > One more for the 'things I know' bin.

Very true... I've been doing web programming for many years, and I didn't even
konw this tidbit. Maybe two or three times in all my years of surfing the web
I've ran across sites claiming to be secure yet the initial form was not secure.
I generally send a message to the webmaster sighting this, next time I'll
investigate more before jumping to conclusions Razz

Take care, and thanks everyone for the comments.

Alex.<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Security question -- am I correct or are they? 
Back to top
Login to vote
Display posts from previous:   
   Web Hosting Problem Solving Community! (Home) -> Webmaster All times are: Pacific Time (US & Canada) (change)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



[ Contact us | Terms of Service/Privacy Policy ]