Ask MetaFilter questions tagged with https

Are login boxes on http:// pages secure?

mono blanco — Tue, 01 Dec 2009 18:39:33 -0800

Some major websites--such as Facebook, Vox and others (but not Metafilter!)--have users enter username & password on an http page rather than an https page. Is this as secure as logging in via https:// and if so, why?

Am I being overly zealous about "proper SSL implementation?"

aydeejones — Mon, 30 Jun 2008 08:49:43 -0800

Am I being overly zealous about "proper SSL implementation?" We've been working with this new collections agency for a few months now. From the very beginning, I noticed that their PHP-driven website was not secured with SSL so I refused to use it and would instead manually encrypt data (256-bit AES) and submit it to them via email. My security concerns caused me to question the entire outfit, but I was informed about how reputable the company is, and how much better they would be than our current agency, etc.

They have a "Place Accounts" page on their website where you are expected to fill out a full-blown help-us-skip-trace form (including social security numbers) which was not secured. You also have the option of uploading CSV files. In either event, the page was not secured.

I asked them to implement SSL (and secure FTP, if possible). A month later, you go to their "Place Accounts" page and are told by IE "this page contains secure and non secure items..." The page itself was an https resource, but the "action" property of the form redirected to a non-secure URL, meaning that when you filled out the form (or uploaded the file) the transaction was not encrypted (correct?).

So I complained about this, and they changed the "action" property of the form to redirect to a secure resource, but then changed the way they link to the "Place Accounts" page, so that their "Place Accounts" page was once again a standard http resource, eliminating the "secure and non-secure items" warning from IE but giving the user no visual cue (no padlock icon, or https) that the site is secure.

I complained again; a month later we're back to an https "Place Accounts" page, the "action" property of the form is secure, but the page still contains "secure and non-secure items," which causes a warning, does not present a padlock icon, and therefore requires a careful user to scrutinize the source to truly know that the page is "secure enough." Sure, it's probably usable at this point, but this is sort of like dealing with terms and conditions that can change at any time; if I can't just glance and see a padlock, how do I know, each and every time I use the page, that it hasn't been tweaked and broken again?

At this point I feel I should inform them that their web administrator / developer is incompetent. Am I being overzealous? How should I approach this? I've been working with their IT manager who I'd expect should be able to communicate with the web team, but do I need to grab the bull by the horns and talk to these guys directly? Should it really be this complicated? Why not just secure the entire site and use SSL everywhere to eliminate all doubt?

I've explained what I'm looking for many times (the entire "Place Accounts" page should be secured in order to present the padlock icon and no warnings) and it seems they take an entire month to make a change and get back to me, and it's a different, less-than-ideal result each time.

I'm also curious about your general attitudes towards encryption of data in transit. I deal with HIPAA a lot, which contains "addressable" requirements for encryption. I am often told by different folks that my approach to security is paranoid; "nobody's going to intercept that file! That'd be too hard!" In the case of email there are plenty of ways to breach security without intercepting individual packets (i.e. guessing a webmail password), whereas in an HTTPS situation, there isn't a cheesy Yahoo account on the other end, and you're more specifically concerned about interception in transit.

This isn't the first business I've encountered that deals with confidential information yet can't seem to properly implement SSL. Back me up here or tell me how you see it. I don't want this to become chatfilter, but I need your help in calibrating my security perspective.

Redirecting subdomain to https

The Radish — Wed, 11 Jun 2008 14:44:44 -0800

I need to redirect all traffic on a subdomain to https instead of http. mod_rewrite is installed, but I don't know how to use it. So for a couple different subdomains I need to force https in other words I want any requests to:

http://sub1.example.com

to go to:
https://sub1.example.com

I found a couple examples online, but I'm not familiar enough with mod_rewrite and .htaccess files enough to make it work. Help, I'm clueless!

Getting a simple https folder to call my own

tinkertown — Thu, 05 Jun 2008 13:22:40 -0800

Is there a hosting service that will provide me a directory to put some simple https (SSL) content without a lot of $$$ and effort? Basically I want to drop 10 GIF files in a directory that can be accessed by an https:// URL. This would let me create customized buttons for my secure mals-e shopping cart without triggering the "unsecured content" message on browsers.

My hosting service is Dreamhost but they have a ridiculous series of hoops you have to go through just to get a simple https server, including getting a static IP and certificates. I recall years ago my old hosting service let you just switch out http with https in the URL and get the same content, which Dreamhost doesn't allow. I tried.

Again I just want to put 10 GIF images in a directory of my own and not be paying $200 and spend half the afternoon setting things up. What would be the best route for this?

Sending sensitive information over email?

Plug Dub In — Fri, 31 Aug 2007 12:59:46 -0800

Is there any simple way to encrypt the information in a web form and deliver it via email? I'm working on a project for a client requiring that credit card information be delivered over email. They will then process it in line with orders taken by mail and by phone.

I know very little about email security, but I do know it's probably a bad idea to send it in plain text.

My thought is to send the form information to a PHP script that creates either an encrypted PDF or an encrypted zip archive containing a plain text file and emails it to my client. But when the info moved from the form to the PHP script, it's out there for everyone to see, right? Would loading the PHP script in an iframe help? Is this something that needs to be done over https? Encrypted email? How hard would it be for a rather tech-unsavvy person to set that up?

I'm really just lookin' for ideas at this point. Thanks!

What data types should I use SSL to pass?

Ulleskelf — Wed, 11 Apr 2007 01:10:23 -0800

What's acceptable and best practice when it comes to passing data in on websites securely and non-securely? I've always presumed finanical information should be passed securely, whilst names and address were OK non-securely? Am I right? I run an health condition community where people have to enter their names, addresses, DOBs etc. One member asked to be removed as we weren't using SSL for their profile information. I'm (reasonably) happy that we aren't, but am I wrong? And are there any published guidelines?

How do I force HTTPS in Tomcat (through Apache and mod_jk)?

purephase — Wed, 13 Dec 2006 15:56:41 -0800

I'm at my wit's end. I've been trying to configure tomcat (through apache 2 using mod_jk) to automatically re-direct all traffic to HTTPS from HTTP. More boring technical details to follow. Specifically, I'm trying to get CAS working. Tomcat is successfully serving-up the pages over HTTP and HTTPS and the application is working as expected. However, since this particular servlet handles user authentication I would like Tomcat to force HTTPS for all requests.

I have tried using isSecure() through JSP to redirect users but it simply puts the requests into an endless loop. I have tried the following configuration in the web.xml file (see Lukas Bradleys' answer) and it does force a redirect, but it uses the server hostname as the URL and not the proxied URL to the server (which means it doesn't work externally).

I've tried changing the hostname on the server but it continues to use the initial hostname which leads me to believe that this value is somewhere in the Tomcat configuration, but I cannot locate it.

So, is there an easier way to do this? Or, does anyone know where to look to modify that hostname to use the URL for the proxied site? Any assistance would be appreciated.

https from Google Talk client

friedrice — Fri, 17 Mar 2006 06:58:11 -0800

Is it possible to force gmail to open with https through the google talk client? When I click the inbox link in my google talk client or click on a new email that pops up, my gmail account opens in my browser through http. Is there something I can configure on my computer to force any http request to use https for specific domains?

What's the cheapest way to get an SSL certificate?

LukeyBoy — Thu, 23 Dec 2004 10:52:26 -0800

What's the cheapest way to get an SSL certificate (for serving HTTPS connections)? Obviously I'd want the company selling these certs to be listed in most browsers as a trusted authority.

Plaintext Password Repositories

skryche — Fri, 11 Jun 2004 05:20:39 -0800

Do you know of a free internet notepad service like Yahoo Notepad, but with https and maybe a few more bells and whistles? 2nd question: If I did find such a service, how stupid would it be to use it as my password repository?