Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: Growing Bad Practice with Login Forms
From: Andrew Steingruebl (asteingrueblcccis.com)
Date: Tue Jul 27 2004 - 09:07:07 CDT
On Tue, Jul 27, 2004 at 09:55:33AM -0400, Mark Curphey wrote:
> In the top left hand corner you will see their secure login button and a
> graphical padlock embedded into the HTML. Of course if you look at the form
> tags, this does indeed submit the form over SSL and in the process the SSL
> handshake checks the certificate and my browser should verify that I am
> indeed sending my password to isaca.org.
> But at that point its too late. The check for server authentication is done
> after I have sent by username and password. This IMHO is a bad practice that
> has started to creep into other sites including online banking.
I'm not sure I understand your complaint. Yes, it does allow a site to
pretend to use encryption and then not, but the SSL handshake is done
before any data is sent to the remote server. The server's certificate
will be verified before any other data flows between the client and
What specifically are you concerned with?