Firefox recently added an information dialog, which tells us, when login data could be compromised (because it is sent over plain HTTP). Why is it that so many websites are secured through SSL, but they let out the login process? Are those things that much different? If SSL already works, why not also use it for the login process? How could this have become a problem in the first place? I mean, it takes some work to set up SSL for a backend-application, but isn't it free to link it to the login too? Are there pitfalls or something when you do that?
1
votes
1 Answers
1
votes
There is no reason to left out the login from https. Quite the opposite.
If the login page use https but the form has an http target, even if that target redirects to https, it's insecure and the browser will probably display a warning. There is no reason to not change the target to directly use https.
And, the only secure configuration is to use https on all the webpages, with HSTS. Any other configuration makes https webpages vulnerable to MitM/SSLStrip attacks.
