Closed
Bug 145555
Opened 23 years ago
Closed 23 years ago
SSL post not encrypted?
Categories
(Core :: Security, defect)
Tracking
()
People
(Reporter: bht237, Assigned: security-bugs)
References
()
Details
Attachments
(1 file)
|
529 bytes,
text/html
|
Details |
The attached testcase demonstrates that a form submit with action="POST" to a
SSL server is executed as an unencrypted request.
At least the text in the security warning dialog indicates that this is happening:
"The information you have entered is to be sent over an unencrypted connection
and could easily be read by a third party."
This is sickening insofar as non-technical users who prepare themselves mentally
to enter a secure site get this misleading message before they even start.
Two message dialogs before the page is loaded. This is outrageous.
When viewing the testcase you may have to back up and delete your prefs.js so
you can be assured to get the default dialogs that new and/or security-aware
users get.
The fact that this testcase posts to an example URL that does not process post
request is not critical for the result of this. I can assure you that there is
no difference in the critical part of the test if you change this to a secure
CGI type of target, servlet or other.
|
||
Comment 2•23 years ago
|
||
Duplicate of 'Submitting form with https action from http page brings up a "the
information you submit is insecure" dialog'
As described in that bug, such a submission is in fact insecure, since the page
you are submitting from is insecure and as such could easily be faked. It could
_look_ like you're logging into your bank, but the info will get sent to some
other secure web server.
Outrage may be better directed at sites that have insecure forms such as this...
*** This bug has been marked as a duplicate of 63095 ***
Status: UNCONFIRMED → RESOLVED
Closed: 23 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•