HTTPS but still non secure form?

HTTPS but still non secure form?

am 14.03.2006 10:39:41 von Wim

Dear Group,

for a website, there is an HTTPS-connection. The homepage has a form:

action="javascript:authenticate()">





When I enter my user id and press "Login", then normally a popup should
show in which I type my password.

Now all of a sudden, before the popup for the password is shown, I get
this dialog box telling me that "When you send information to the
Internet, it might be possible for others to see that information. Do
you want to continue?".

I know that this dialog box can be switched off in the security
settings of Internet Explorer, that is not my question, what I wonder
about is: why do I get this dialog box? I thought the connection to be
secure, because the HTTPS-protocol is used?

Thank you and kind greetings,

Wim

Re: HTTPS but still non secure form?

am 14.03.2006 11:04:09 von Wim

Dear group,

> or a website, there is an HTTPS-connection. The homepage has a form:
>
>

> action="javascript:authenticate()">
>
>
>


my guess is that the warning gets showed because the "action" in the
form-tag consists out of a javascript-function. This javascript is run
locally and hence not over a secured connection.

But this is really just a guess, I have no clue and every comment is
very welcome.

Thank you,

Wim

Re: HTTPS but still non secure form?

am 14.03.2006 12:05:39 von Ludovic Joly

Wim:
>I thought the connection to be secure, because the HTTPS-protocol is used

1. You can't "think" the communication is secure. You must "know" it
is, be sure about it. So I would suggest that you use ethereal and
sniff the wire to have a look at your traffic.
2. HTTPS is only secure for little demanding applications - that is
probably the case here.

Kind regards
Ludovic Joly

Re: HTTPS but still non secure form?

am 17.03.2006 10:50:39 von Wim

Dear Ludovic,

Ludovic Joly wrote:
> Wim:
> >I thought the connection to be secure, because the HTTPS-protocol is used
>
> 1. You can't "think" the communication is secure. You must "know" it
> is, be sure about it. So I would suggest that you use ethereal and
> sniff the wire to have a look at your traffic.

Thank you for correcting me, I have to say that you are right.

> 2. HTTPS is only secure for little demanding applications - that is
> probably the case here.

The problem is that the action that is called by the POST is a function
in a javascript. The browser does not know whether this safe or not,
hence the warning.

Kind greetings and have a nice day,

Wim


--
If nobody has comments, I consider this thread closed.
Thank you for the reactions.