Http Https Security Paradox

Fact: Submitting a password (or anything else) is far more insecure over a plain HTTP connection than over an HTTPS connection because HTTPS - even if the server certificate is self-signed - is at least encrypted.

Paradox: Why do modern browsers scream "danger" if you visit a site with a self-signed certificate, but say nothing when you submit an input of type password over plain HTTP? This unnecessarily complicates the life of developers who, trying to prevent transmission of passwords as plain text (but without budget to buy a commercial certificate), enable HTTPS with a self-signed certificate only to receive complaints from users saying that the browser now presents a full page error message saying that the site has now become a security risk. (As if it were not a far worse security risk when it was running over plain HTTP.)

Mozilla Firefox has gotten some criticism for their particularly bad handling of this. See http://tech.slashdot.org/tech/08/08/22/1139236.shtml

In fact, this fashion was started by InternetExplorer 7, and the copied by FireFox 3.0. And it is one of the biggest mistakes I have ever seen, it basically sends the message: "Self signed HTTPs is more insecure that plain HTTP".

To have a sensible security policy, all browsers should present this annoying "This site is a security risk follow these cumbersome steps for reading it" for every plain http site on the web.

[Wouldn't be bad before posting password fields, at least. However, something to realize is that HTTPS can be performed without a cert. SSL allows it. I'm not sure what the configuration effort on IIS or Apache would be.]

[Anyhow, rather than plaintext passwords, one can also use HmacUserAuthentication with a small bit of javascript. It can provide very powerful security at a tiny fraction of the cost (SSL has a lot of extra handshaking.)]

Yes, but that only works for passwords, the rest of your data is still being transmitted unencrypted....

[HmacUserAuthentication protects the password and the content of the data (in the sense that nobody can toy with it). With a little extra protocol, it can also protect against repeat attacks. For many sites, that's enough. If you need full site encryption for privacy from end-to-end, HTTPS is the way to go (at least for now and the immediate future). But protecting passwords is very important, in part because people reuse passwords all the time.]


CategorySecurity


EditText of this page (last edited November 10, 2014) or FindPage with title or text search