All geek questions in one place

Submitting a form to a secure URL from an insecure page

Suppose I have a form on a page in this place ...

http://mydomain.com/myform.htm

And the form looks like this ...

 <form method="post" action="https://secure.otherdomain.com/handleform.php"> .... </form>

Assuming a valid SSL certificate is installed on the server that receives this form, will the contents of this form be encrypted?

+2
source share
3 answers

The POST request will be transmitted via HTTPS (therefore, it is encrypted if it is configured correctly). Submitting a form from a page received via simple HTTP to an HTTPS page is bad practice. The home page should also be served via HTTPS. The reason for this is because the MITM attacker can intercept the response, which loads the page with the form and replaces the link with another target.

See the first rule here (of course, not for login pages):

Rule - Use TLS for all login pages and all authenticated pages.

The login page and all subsequent authenticated pages must have exclusive access to TLS. The login login page, called the "login landing page" must be served through TLS. Failure to use TLS for the landing page allows an attacker to change the login form, as a result of which user credentials will be sent to an arbitrary location. The inability to use TLS for authenticated pages after login allows an attacker to view an unencrypted session identifier and compromise a user's authentication session.

+6
source

Assuming a valid SSL / TLS session can be negotiated between the server and the client, then yes. This means that the client must be ready to trust any certificate provided by the server, and that both parties can agree on a mutually acceptable set of ciphers (which algorithms to use, etc.). There are many configuration options that you can change to change what is allowed, but in a β€œnormal” implementation, where you don’t go into a mess, requiring a specific, abnormal, algorithm requiring certificate authentication on the client side, etc. everything should work fine, and you will have a secure session ... and if it fails for some reason, you will know that your client will receive a message about what went wrong.

Please note that in the general case, although you can do this and the transmission will be encrypted, you usually should not. Having an unencrypted / secure page is subject to one, which makes you vulnerable to a couple of people in medium attacks. You can see the OWASP article about this, and why it is bad, here .

+3
source

Yes. It will be transmitted reliably.

0
source

Source: https://habr.com/ru/post/1386861/

More articles:


All Articles