undefined | Better HN

0 pointsthere16y ago0 comments

the form it is submitting to needs to be SSL, but the form itself does not

then how do you guarantee the form is going to submit to an SSL-protected resource? the form and all of your javascript has to be sent over SSL, otherwise any of it can be tampered with to simply bypass your logic and post the form contents to an unencrypted resource.

if you haven't already seen it, watch moxie's blackhat presentation about ssl:

https://www.blackhat.com/html/bh-dc-09/bh-dc-09-archives.htm...

0 comments

1 comments · 1 top-level

hayroob16y ago

That seems like viable thought. I will watch the presentation when I get a chance, but for now I will modify the article to consider this scenario and my code already forces SSL on the login page and the authentication script.

j / k navigate · click thread line to collapse