Home » Blogs » Marco's blog

More security for web forms

There are several banks that use non-SSL login pages. This does not mean they are sending your credentials in the clear, but the user has no way to tell if the login form is legit or spoofed. Alun Jones moves from the findings of Johannes Ullrich, chief research officer for the SANS Institute, to raise an alarm on this overlooked problem: how secure is the web form you are filling in?

With DNS hacks, and viruses that replace or edit your host file, that’s not a guarantee of anything very much, sadly - so these days, you should want your bank to identify themselves via a certificate - and that can only be done through an SSL link. How do you know if the form on your screen has been delivered by SSL?

The “padlock” icon could answer this, but …

… you also want your password to be sent back using SSL, and currently, there’s no browser that I am aware of that will tell you that this is the case, or prevent your form details from traveling back unprotected.

True! I immediately thought there could be some handy solutions so I did some little research and I found that Chris Shiflett already addressed this problem prompting the web community for a solution.

Wouldn’t it be nice if browsers could give us a visual indication that a form’s action uses the https scheme? Anyone want to write a Firefox plugin? :-)

And he actually got two neat responses: a Firefox extension by Daniel Steinbrook and a Greasemonkey script by Sean Coates. Both tools check the HTML and Javascript code of the page hosting the form in order to display some visual indicator of the form security and details of where the form is posting your data.

I would suggest to also add a light yellow background behind the fields of secure forms. This would be consistent with Firefox, where the address bar turns yellow when displaying an https page. The coloring will emphasize the fact that the input data will be sent encrypted to an SSL page.

I’m quite skeptical about the security level offered by today SSL certificates (see my previous post), anyway these little measures could make more consistent, and hence more secure, the experience of filling a form.

I hope this kind of visual indicators will be implemented in the next releases of Firefox, Safari and IE.

formfox

Bookmark/Search this post with:
Submitted by Marco on 30 April, 2006 - 16:52. tags:
»

Yeah, I thought of that, but...

Submitted by Alun Jones (not verified) on 1 May, 2006 - 03:37.

How do you come up with a browser extension (or a change to the browser itself) that will show this information in a manner that a site cannot fake?

Also, how do you confirm for certain that the page will be submitted in HTTPS?

The usual example should suffice - define a function that will submit to an HTTP link half the time, and an HTTPS link the other half of the time, with the choice made entirely randomly. Your submit button calls this function.

Sure, no web site in its right mind would implement such a function, but it does indicate that there will be web sites that such an extension can not correctly predict.

What use is a security feature that can not be predicted to work all the time? And what are the parameters of pages on which it works, or doesn’t?

Perhaps a better measure would be to use one of the “privacy protection” programs that actively scans outgoing traffic for your personal information, and stops it in mid send if it’s sent in the clear.

»

Post new comment

The content of this field is kept private and will not be shown publicly.
Captcha
This question is used to make sure you are a human visitor and to prevent spam submissions.
Copy the characters (respecting upper/lower case) from the image.