0

I would like to make log in process more safely. And to achieve it i'm thinking to start using https. I have never used it before.

Now on main page user see login link, and div with login form already loaded with the main page together. User click on login link and see immediately LoginForm. in action attributes of form I will put url beginning from htts. So my question: Will these username and password send out by protected protocol or not ?

P.S. I have no registeres certificate, so most modern browsers actually show page about risks ... so how usually everyone solve such issues?

Andrey Rubshtein
  • 20,795
  • 11
  • 69
  • 104
user1016265
  • 2,307
  • 3
  • 32
  • 49

3 Answers3

1

The user's login details will be sent encrypted, but because your main page isn't using HTTPS the user won't see the expected padlock symbol, and might be wary about using the form.

Put it another way: without using View source there's no way for the user to know whether your form is secure or not.

The only fully safe and obvious way to do what you're doing is to serve any page that offers the login form via HTTPS, eg. by redirecting http://mysite.com to https://mysite.com. Twitter is an example of a site that does this.

RichieHindle
  • 272,464
  • 47
  • 358
  • 399
  • Automatic redirection from `http://` to `https://` only mitigates the risk, in that it gets the user used to expecting `https://` for that site. It assumes a network where no MITM is attacking, though (see [this question](http://webmasters.stackexchange.com/a/28443/11628)). – Bruno Jun 19 '12 at 11:05
1

The entire HTTP request will be encrypted, including headers and query parameters (more details in this answer).

However, you should also make sure the landing page is using HTTPS. A essential point of the security offered by HTTPS is that only the client can really check it: the user has to see it in use via the user interface first. You'll find more details in this OWASP rule (and in this previous answer to a similar question).

As for the browser warnings regarding your cert: you'll need to get a certificate from a CA recognised by most browsers.

Community
  • 1
  • 1
Bruno
  • 119,590
  • 31
  • 270
  • 376
0

Best approach would be to always force HTTPS, not just for login and after that, which can usually be accomplished via webserver configuration (you haven't mentioned which webserver you are using).

You will need a certificate issued by a trusted certificate authority, which usually cost money, but there are also free certificates — e.g. by StartSSL (I have no affiliation with them).

lanzz
  • 42,060
  • 10
  • 89
  • 98