| Author |
Message |
| mario |
 Posted: Fri Oct 18, 2013 3:55 pm Post subject: Re: Poor practice |
|
| twobuckes wrote: | | It is poor practice to encourage users to sign in on pages that are not https. The only way that a user has of knowing that a sign in is secure is the padlock symbol (in the browser chrome) which indicates that the whole page is https. Users should not sign in on pages that do not have the padlock. |
So you don't (login from there). No one is preventing you from accessing Gixen via https://www.gixen.com and logging in from there if you believe the risk of non-ssl loaded login form is significant. In theory it's possible someone could tamper with such form. In practice I yet have to hear of a single case of that happening. Technically it's more difficult to do than to sniff the password and impossible to do without risking of such attack being detected. |
|
 |
| Cupid |
| Posted: Fri Oct 18, 2013 5:21 am Post subject: |
|
Personally, I like the simple layout provide by Gixen.
The alternative would be to provide a separate page that does nothing other than log you in. I'd rather keep the current interface but perhaps an https login page could additionally be provided somewhere else on the site.
As Mario has tirelessly explained, that would only be catering for best practice, in terms of security it really isn't necessary and the current interface is adequate and entirely fit for purpose. |
|
|
| twobuckes |
| Posted: Fri Oct 18, 2013 1:51 am Post subject: Poor practice |
|
| It is poor practice to encourage users to sign in on pages that are not https. The only way that a user has of knowing that a sign in is secure is the padlock symbol (in the browser chrome) which indicates that the whole page is https. Users should not sign in on pages that do not have the padlock. |
|
|
| mario |
| Posted: Sat Aug 31, 2013 3:46 pm Post subject: |
|
SSL is used during log in during which a session id is generated. After that traffic is redirected to plain http. Your password is never transmitted over plain http, but your traffic is (e.g. adding, deleting and modifying snipes).
Mirror subscribers are on SSL all the time, the session is never redirected back to plain http. |
|
|
| johntll |
| Posted: Sat Aug 31, 2013 11:17 am Post subject: Says SSL but no security encryption indicated?? |
|
Tried on Firefox and Microsoft IE, and not showing httpS or any other indication that it is an encrypted site of any sort. Yet, it says it''s SSL.
Can somebody explain this?? :?: |
|
|