Submitting Secure Information from Unsecured Pages
Using SSL encryption to secure information is server and client processor intensive, not to mention that the process can significantly slow the presentation of pages to your visitors. Not surprisingly, some webmasters have instituted an underhanded method to avoid the entire problem by placing sensitive information such as login/password inputs on home pages that are not SSL encrypted. The general programming concept seems to be that since the login/password information is being submitted to a HTTPS encrypted page, the data secure. Well not so fast.
Using my sector, web site monitoring, I decided to first check and see how prevalent this practice actually is. Out of 12 sites checked, 10 (or 83%) provided login/password inputs on the home page. Clearly this practice is widely used within our sector.
The next step was to determine if the login/password information of the 10 sites using this practice actually submitted the information to an SSL enabled page. Shockingly, nine of the 10 did not. A sniffer (HTTPLook by BinaryAge Software) was used to confirm this as shown below. The results were confirmed and indeed nine companies employing this practice transmitted information in clear text across the internet.
POST /User/clients-login.aspx HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, ...Referer: (blanked out to protect the guilty)Accept-Language: en-usContent-Type: application/x-www-form-urlencodedUA-CPU: x86Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; ....Host: (blanked out to protect the guilty)Content-Length: 54Connection: Keep-AliveCache-Control: no-cacheCookie: Dana-Net=CookieEnabled=YES; ASP.NET_SessionId=123Action=Login&Name=test&Pwd=test &;Submit.x=23&Submit.y=5
Why would a business put themselves and their customers at risk by employing a practice that clearly makes sensitive data vulnerable to a man in the middle (MITM) attack? Were the companies attempting to save a few dollars by not installing SSL server certificates? Was this just a "convenience" so customers could save a mouse click, or was this just implemented incorrectly?
Attempting to answer these questions, I first appended https://www to the 9 company's domain name to see if their home page would display using SSL encryption. Two out of the 9 returned errors indicating no server SSL certificate was installed. Two others returned errors indicating the certificates did not match the domain name. So 44% did not have SSL certificates installed or had certificate validation warnings displayed to the user. GoDaddy offers SSL certificates for $19.99 per year so it's hard to imagine this practice is driven by cost. Not a comforting thought.
Having a site visitor input his/her login/password from the home page for example, is clearly more convenient and does save a mouse click. The question becomes, how is a visitor to know if his/her information is actually being transmitted securely? Some sites reviewed actually used graphics and verbiage to indicate customer data was being transmitted securely, when in fact it is not. Short of reading code, or testing with invalid information, a site visitor would not know. This is a large blow to user confidence to save a mouse-click in my opinion.
So what about the company that actually uses this practice, and does indeed submit to a HTTPS page? Based on HTTPLook, the process is secure and the information in encrypted. If you desire to submit secure information from unsecured pages, it appears it can be done securely if implemented correctly. However in doing so, you place visitors in the unenviable position of trying to determine if your site correctly implements security. For that reason, I would strongly suggest avoiding this practice. If you're still not convinced this is a bad practice, repeat my steps with your bank, credit card companies, brokerage firm, or favorite online website. You may find yourself shocked, outraged, and an evangelist against this practice. I know I was!
Source: Free Articles from ArticlesFactory.com
Related Tags: information, unsecured, secure, from, submitting, pages
Lew Newlin is CTO of Information Solutions, Inc. that operates SiteRecon.com. SiteRecon specializes in email monitoring and web site monitoring for Internet service providers and businesses. Your Article Search Directory : Find in Articles
Recent articles in this category:
- Things To Know About Getting Visitors To Your Website
You Must Get Targeted Traffic To Your Business Website, Paid or Free.Let's face it! Without traffic - Website Designing :better Buck Up For Better Conversion
Slow and steady wins the race. Is it? It may not be true for the realms of offshore web designing. W - Know Basics Of Websites Before Designing Website For Your Specific Needs
Present is the age of internet and without having an online identity no organization or firm is comp - Web Design Methodology
Since the budding of the internet the use of web has been increased by leaps and bounds due to boomi - Indian Php Developers Is Cost-effective Web Development Solutions
PHP is an open source programming language which is used to create customized web development soluti - Why A Logo
Pictures are a powerful medium of communication; they tend to stick with us. You could forget a line - 8 Common Web Development Mistakes To Avoid
When you are ready to start with your online business the first thing which comes in front of you is - Web Design- The Window To A World Of Success
It can take your business to the international level in a quick and easy way. Your website can take - Only Basements - Perfect Basement Design Ideas In Ottawa And Montreal
An idea can change our lives. Any idea which is constructive offers great benefits. It can be anythi - A Premium Website Helps In Creating Charisma In The Web World
Websites play a very important role in the advancement of a company. It is your website that forms a
Most viewed articles in this category:
- Why Custom Logo Design Matters-Are You Satisfied
Why custom logo design matters With so many companies competing for the same clients, it's becoming - Internet Web Page Design
Internet web page design is something we must master if we are to build a successful internet busine - Is your website innovative? Increase Your Business Over Night!
While studying online for IT investment opportunities, I found that one main factor was constant. Al - How to Get Profits from Your 404 Page not Found file.
"'Page Not Found' on this Server. Check the URL and try again. Or Refresh the page..."This - The Psychology of Web Surfers
Here are some things you should know about web surfers: They are busy They - Advantages of an Online Site Builder
There are numerous choices when it comes to building web sites. One of the first choices you will ha - How To Create Clear Web Site Graphics (Part 2 of 2)
Web site graphics can spice up your web sites and increase stickability if used correctly.In this ar - The Title An Accurate And Descriptive Summary
It's the little things that count. The obvious and most times overlooked are usually the most import - How To Create Clear Web Site Graphics (Part 1 of 2)
Clear web site graphics can spice up your web sites and increase stickability if appropriately used. - Building Community Websites Equals Success Online
In this article I will discuss how important is it to build community websites rather than straight