Report message:*
 

Concerns about the use and lack of use of HTTPS with ICMS

Subject: Concerns about the use and lack of use of HTTPS with ICMS
by tedsmith on 2010/11/12 14:23:00

Hi all

I've received an e-mail from a member of my website as follows :


Just noticed that the login page (even when viewed over HTTPS) actually sends the login traffic in-the-clear over the internet. The actual HTML code fragment of relevance is:

<form style="margin-top: 0px;" action="http://www.mysite.com/user.php" method="post">


Again, with my security hat on, that's horribly bad practice. We'd normally recommend that login pages are viewable over HTTP - but that the actual form submission posts over HTTPS. Post-login, all traffic should be sent over HTTPS - to prevent interception of session cookies.


This is not something that has not been on my 'To Do' list, and his e-mail has motivated me to try and look into this.

I do have https available on my server, and the secure login page does use the https protocol, but a) is the claim that even then the login is sent clear true and if so, why? b) how easy is it to make the whole site, by default, use the https port rather than http? And, 3) what potential issues are there by doing this?

Ta

Ted