[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Insecure http pages referencing https form-actions.

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Insecure http pages referencing https form-actions.
From: Nick FitzGerald <nick@xxxxxxxxxxxxxxxxxxx>
Date: Wed, 10 Aug 2005 13:25:20 +1200

fd@xxxxxxxxxx wrote:

> Today I realized that many "secured" web sites reference their secure 
> login page from an insecure page.  For example:
> 
> http://www.some-luser.com/login.html:
>   <form action="https://cgi.some-luser.com/login-cgi";>
>     user: <input name=user> 
>     pass: <input name=pass>
>   </form>

Welcome to, ohhh, 1997???

I can't be bothered looking it up, but this is ancient.

Of course, that it still happens really, often, on huge sites that 
really should know better says a lot about, well, many things really...

Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Insecure http pages referencing https form-actions.
  - From: fd

References:
- [Full-disclosure] Insecure http pages referencing https form-actions.
  - From: fd

Prev by Date: RE: [Full-disclosure] "responsible disclosure" explanation (an exampleof the fallacy of idealistic thought)
Next by Date: Re: [Full-disclosure] Insecure http pages referencing https form-actions.
Previous by thread: [Full-disclosure] Insecure http pages referencing https form-actions.
Next by thread: Re: [Full-disclosure] Insecure http pages referencing https form-actions.
Index(es):
- Date
- Thread