Why is it that the login isn't secured through HTTPS?

0 投票
最新提问 用户: (120 分)

Firefox recently added an information dialog, which tells us, when login data could be compromised (because it is sent over plain HTTP). Why is it that so many websites are secured through SSL, but they let out the login process? Are those things that much different? If SSL already works, why not also use it for the login process? How could this have become a problem in the first place? I mean, it takes some work to set up SSL for a backend-application, but isn't it free to link it to the login too? Are there pitfalls or something when you do that?

发表于 用户: (420 分)
"Why is it that so many websites are secured through SSL, but they let out the login process?" - can you provide some examples of such sites? I have not seen any that use SSL everywhere but on the login.

1个回答

0 投票
最新回答 用户: (4.1k 分)

There is no reason to left out the login from https. Quite the opposite.

If the login page use https but the form has an http target, even if that target redirects to https, it's insecure and the browser will probably display a warning. There is no reason to not change the target to directly use https.

And, the only secure configuration is to use https on all the webpages, with HSTS. Any other configuration makes https webpages vulnerable to MitM/SSLStrip attacks.

发表于 用户: (120 分)
But if there is no reason to NOT include the login process, why did mozilla (and AFAIK Google too, soon) feel the urge to create a warning for exactly that? I noticed that there are a LOT of websites where the login process is insecure. I don't really get it.
发表于 用户: (4.1k 分)
@TrudleR I said "There is no reason to NOT change", and there is a very good reason to change it: Security. There is NOT reason to keep http. That's why Mozilla display a warning.
发表于 用户: (120 分)
I'm not a native speaker, which is why you understand me wrong, sorry. My point is: If it is no issue to cover the login, WHY are there so many websites that do not cover their login, so that Mozilla felt the need to warn users. If websites use HTTPS, and it's no problem to implement it, why aren't developers doing that? There has to be a reason why the logins are often not secured. If it's easier to cover everything with HTTPS, this issue wouldn't exist at all, right?
发表于 用户: (4.1k 分)
Reasons why they do that stupid thing: 1- they don't know it's stupid 2-They know it but don't have time to fix it. So thanks to Mozilla, now they know it's stupid, and customers can shame them to push the security up in their priorities!
欢迎来到 Security Q&A ,有什么不懂的可以尽管在这里提问,你将会收到社区其他成员的回答。
...