Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: Growing Bad Practice with Login Forms
From: Rogan Dawes (discarddawes.za.net)
Date: Tue Jul 27 2004 - 09:22:33 CDT
Konstantin Ryabitsev wrote:
> On Tue, 2004-07-27 at 09:55 -0400, Mark Curphey wrote:
>>But at that point its too late. The check for server authentication is done
>>after I have sent by username and password. This IMHO is a bad practice that
>>has started to creep into other sites including online banking.
> Not really. SSL verification is done before the HTTP headers are sent to
> the server (same reason why you can't have name-based SSL virtual
> hosting), so if there is SSL cert mismatch, your browser will alert you
> and if you cancel the connection then, the server won't see any of your
> In fact, presenting the login form on the SSL page won't win you
> anything, since there is no guarantee that you will submit your data to
> the same SSL-enabled server than the one that sent you the login form.
Not so. I assume that you trust the holder of the SSL cert that you
verified prior to submitting your credentials, otherwise you would not
do so ;-)
If they wanted to get your credentials, it is as easy to write an app on
their own server, as it is to modify their page to send your credentials
to a different server, and a lot less suspicious, too!
*ALL* messages to discarddawes.za.net will be dropped, and added
to my blacklist. Please respond to "lists AT dawes DOT za DOT net"