Results 1 to 3 of 3
  1. #1
    Star Lounger
    Join Date
    Dec 2009
    Location
    Marseilles
    Posts
    67
    Thanks
    5
    Thanked 1 Time in 1 Post
    I sometimes login to my ISP's webmail service. The address (HTTPS) the ISP gives for the login page actually defaults to a different page that is HTTP. When I check the page info in FF, it says there is no certificate.

    If I manually change the address in the title bar and add the "S", the page appears with the padlock and the details of the certificate are shown in the page info.

    Once I've logged in, the inbox also is displayed on a plain HTTP page with no certificate. If I change the address as above, I get a partially-secure page with a corresponding certificate.

    My ISP says it's perfectly normal and that their webmail service is entirely secure.

    Can anyone explain to me the nuts and bolts behind this quirk...?

    Thanks

  2. #2
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts
    For performance reasons, some sites only encrypt the logon process. Obviously that must be secured. If you go to the HTTP version of the logon page, view the source (how exactly depends on your browser, but try right-clicking a blank area of the page or using the View menu), and search for action= you should find that the logon form submits to an HTTPS page. If not, then the site is badly designed and should not be trusted with your personal data. (If the page containing the form already loaded using the HTTPS protocol -- beware of frames obscuring the actual protocol used -- then a relative path without any protocol can be used.)

    [attachment=88395:YahooMailLogonFormAction.png]

    After the logon is accepted, the server will send you a cookie to identify your session and may redirect either to a secure or unsecured page.

    As for the mailbox, are they claiming it's secure? Perhaps they need to give you a better explanation on that.

    == Edit ==

    I have to admit to an incomplete analysis of the Yahoo! logon example. As you can see, there is an onsubmit event handler. This checks the validity of information in the form before it can be submitted to the action URL.

    Code:
    function hash2(form){
      var passwd=form.passwd.value
      if(!form.passwd.value){return false;}
      if(ok_password(passwd)){return true;}
      var challenge=form[".challenge"].value;
      var fullhash=MD5(MD5(passwd)+challenge);
      form.passwd.value=fullhash;
      form[".md5"].value=1;
      form[".hash"].value=1;
      form[".js"].value=1;
      return true;
    }
    
    function ok_password(pw){
      var pwlen=pw.length;
      var pwChar="";
      for(i=0;i<pwlen;i++){
        pwChar=pw.charCodeAt(i);
        if(pwChar<32||pwChar>126){return false;}
      }
      return true;
    }
    In some cases, the onsubmit actually does the logon, without submitting the page at all. This is how slick Web 2.0 interfaces are created, but it makes it harder to track down whether the logon is secure because then you have to read the URL in the page's JavaScript.

    Finally, it's possible to intercept the click on a form submit button and run scripts even before the browser considers the instructions in onsubmit and action. So it's dangerous to rely solely on the action value, and I apologize for the initially incomplete response.
    Attached Images Attached Images

  3. #3
    Star Lounger
    Join Date
    Dec 2009
    Location
    Marseilles
    Posts
    67
    Thanks
    5
    Thanked 1 Time in 1 Post
    Thanks for the info. Sorry it took so long to respond.

    Interestingly enough, the page in question now shows a secure address

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •