Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is a secure domain (HTTPS) totally necessary for a sign in page?

It seems that most major websites will use a secure domain, but there are a few major exceptions, notably facebook and twitter.

The benefits of using a secure domain are obvious I suppose - your login credentials are never transmitted in plain text.

So how do major sites like facebook and twitter get away with it? If a secure domain is not available for some reason, what extra precautions might one take?

like image 661
Kenan Banks Avatar asked Aug 02 '09 03:08

Kenan Banks


People also ask

Is HTTPS always necessary?

It's not necessary but it is more secure to use both. If you want to ensure your internet access is secure and private, use HTTPS and a VPN. HTTPS gives you end-to-end encryption, and a VPN encrypts data from your computer to the VPN server.

Is a website safe if it doesn't have HTTPS?

Look for the “S” in HTTPS This security is provided by an SSL certificate, which protects sensitive information entered into that site as it travels from the site to a server. Without an SSL certificate, that information is exposed and easily accessible by cybercriminals.

Is HTTPS mandatory?

SSL certificates are now a requirement for all websites. The browsers – led by Google and Mozilla – have mandated all sites be served with encryption via HTTPS. To accomplish this transition the browsers have created a new security warnings.

Do you need to include HTTPS for my website?

HTTPS is a must for every website nowadays: Users are looking for the padlock when providing their details; Chrome and Firefox explicitly mark websites that provide forms on pages without HTTPS as being non-secure; it is an SEO ranking factor; and it has a serious impact on privacy in general.


2 Answers

If security is at all important: Yes, the sign in page must be https, as must the page that it posts to. There simply is no other way.

If you visit a page, and it isn't https, you absolutely can not trust anything submitted from that page. Since the connect is not protecteded, it can be easily tampered with (perhaps by making it submit to a non-https page, or perhaps submitting to an altogether different domain, which you will never know until it is too late). Whereas if you visit an https page, you can trust it. You know where the page originated from and that it hasn't been tampered with. And of course you must submit to an https page, since you want that data to be encrypted (and the browser should warn you if it tries to submit a form from an https page to a non-https page).

like image 72
Adam Batkin Avatar answered Nov 08 '22 11:11

Adam Batkin


Sorry for the late post but I don't think anyone above addressed the key element to how facebook and twitter do it. The main part is, their non-HTTPS login form posts to an absolute URL over HTTPS.

Look at the action:

// facebook
<form method="POST" action="https://login.facebook.com/login.php?login_attempt=1" id="login_form">

// twitter
<form method="post" id="signin" action="https://twitter.com/sessions">

In this case, a form's "action" is set to use https and the ssl handshake takes place before any data is sent so the connection is secure. (Whether or not the original form is displayed using https doesn't matter). However, if the form action used a relative path, then it would default to the protocol that was used to display the form. Bottom line, you must use an absolute URL if you want to establish an SSL session before your credentials are sent.

like image 32
RADA Avatar answered Nov 08 '22 11:11

RADA