eCommerce Tycoon

**mg1313** · 07-17-2008, 12:38 PM

In short should be the login page (where you enter your user and password) under SSL before submitting the page or it's ok that the login page to be on regular HTTP but when you submit to go to HTTPS (SSL)?

Which way assures you a encrypted communication?

Like Apple has it here: http://store.apple.com/1-800-MY-APPL...2.0.26.9.5.7.1

Or Hotmail has it here: http://login.live.com/login.srf?wa=w....aspx&id=64855

Or like Target has it here: http://www.target.com/gp/flex/sign-i...604016-7503003

**willcode4beer** · 07-17-2008, 02:37 PM

in short, it doesn't matter if the login page is encrypted or not, as long as it is submitting to an encrypted URL (via POST.

**mg1313** · 07-17-2008, 09:53 PM

Well, I found this info.

These articles are saying the opposite...that the Login page and the action page should be both under SSL (mostly because of the phishing problem):

- http://blogs.msdn.com/ie/archive/2005/04/20/410240.aspx
- http://my.opera.com/yngve/blog/show.dml/281609
- http://blogs.zdnet.com/Ou/?p=226
- http://blogs.zdnet.com/Ou/?p=201

If we think a bit they are right: how do I know that the login page is the one I want to be and it wasn't phished? But if it's under SSL then I will know to whom that page belongs.

**gadiandi** · 07-21-2008, 10:37 AM

willcode4beer is right that it will always be encrypted as long as you POST to https but the first article you posted clearly demonstrates why you should really have the login page encrypted as well.

**willcode4beer** · 07-21-2008, 09:24 PM

the issue mentioned in the first article could affect "secure" pages too.
If a third party can get javascript running in the page, it doesn't matter if it's https or not.

The only useful info in that page is the reference to the UI element not being present on non-secure pages. Most people never bother checking for it anyway, as mentioned in the article, many banks have non-secure login pages.