Security Corner

Oct 19 2009   11:34PM GMT

Trust Only https:// on Form Pages

Ken Harthun Ken Harthun Profile: Ken Harthun

How often, when you log into a site that requires a username and password, to you check to see if the connection is secure? You probably don’t give it a second thought. Most people don’t. For many sites, like newspapers, online magazines, etc., it probably doesn’t matter much. Who cares if someone logs into a news site with your credentials? They’re not going to gain anything by doing so and there’s no identity or personal financial information at stake.

For any sites where you are accessing or entering sensitive identity or financial information such as bank account or credit card numbers or government program IDs such as Social Security numbers, State identification numbers or the like, you are seriously at risk of identity theft if you trust this information to a form that is served as “http://[URL].” It’s true that the Submit button may invoke transmission of the information using https:// (SSL), but there is no guarantee that this will happen, so you risk sending your information “in the clear.”

Best practice: change all of your bookmarks pointing to financial and other sensitive site login pages to read “https:// [URL of site].”

2  Comments on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • MichaelSeese
    So you can actually [I]force[/I] it to https? I did not know that. Cool advice. Thanks. -- Michael Seese, CISSP, CIPP, author of [A href="http://www.amazon.com/Scrappy-Information-Security-plain-English-Biometrics/dp/1600051324/ref=sr_1_1?ie=UTF8&s=books&qid=1245928166&sr=1-1"]Scrappy Information Security[/A]
    0 pointsBadges:
    report
  • SAPjava74
    Well, the webserver has to be listening on port 443 and have a valid SSL certificate for it to really have https sessions.
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: