This will be a bit difficult to explain but I will try my best.
There is a website that has the login form on every page with username/password fields. These pages are not using SSL. After the user fills in the username/password and submits the form, the form is sent to an authentication page which is https.
I have a few questions about this situation.
Thanks a lot for any help!
Metropolis
CONCLUSION
Ok, so after thinking about this for awhile I have decided to just make the whole thing https. @Mathew + @Rook, your answers were both great and I think you both make great points. If I was in a different situation I may have done this differently, but here are my reasons for making the whole thing https.
To answer the question, SSL provides the benefit that data transmitted cannot be viewed or tampered with by a 3rd party. SSL on a site after the login crediential were passed would still provide the above security measures. Obviously your credentials would now be known to an attacker, who could then log in as you.
Having https only on the login page is insecure: It means you don't use HSTS, which is the only protection against SSLSrip. It means an attacker can replace on your http pages your link to the login page by something else (like a popin that submit credentials to his server)
While less of a concern for smaller sites with little traffic, HTTPS can add up should your site suddenly become popular. Perhaps the main reason most of us are not using HTTPS to serve our websites is simply that it doesn't work with virtual hosts.
HTTPS doesn't mean safe. Many people assume that an HTTPS connection means that the site is secure. In fact, HTTPS is increasingly being used by malicious sites, especially phishing ones.
According to The OWASP top 10 at no point can an authenticated session id be used over HTTP. So you create a session over HTTP and then that session becomes authenticated, then you have violated The OWASP Top 10 and you are allowing your users to be susceptible to attack.
I recommend setting the secure flag on your cookie. This is a terrible name for this feature but it forces cookies to be https only. This shouldn't be confused with "Httponly cookies", which is a different flag that is helpful at mitigating the impact from xss.
To make sure your users are safe I would force the use of HTTPS all of the time. ssl is a very lightweight protocol, if you run into resource problems, then consider chaining your https policies.
In addition to what The Rook says, submitting a form from http to https is a risk for a couple of reasons:
This is a much simpler attack than http cookie interception, so it's actually an even bigger risk...
But The Rook's point is important: you should never mix http and https traffic. On our websites, as soon as you're logged in, everything is https from that point on.
Apart from the previous answers, since people tend to want to go from HTTPS to HTTP for performance reasons, this article about HTTPS at Google might be of interest. Its main message is:
SSL/TLS is not computationally expensive any more.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With