Are your login forms wearing HTTP dirty diapers? (Updated)

HTTP Dirty Diaper

Most web developers are aware that if their site is not secured by an SSL certificate (HTTPS-encrypted) for form data (such as entering a user name, password, email address) that an attacker has the potential to see the entered data rendered in plain text. The use of HTTP (unencrypted) forms sets up a user for potential man-in-the-middle type attacks. The attacker could set up a different URL for the form to post to and the user would be unaware that an attack is occurring in the background.

Avoid websites that want you to fill out their forms but fail to offer SSL encryption…

When it comes to Internet security and privacy, I have always been a very outspoken advocate in this realm. There is no reason why anyone should have to input any type of personal data at a website that does not offer encryption (a secure layer). If there is no HTTPS fancy padlock on the website (boasting that your data is encrypted) – don’t post anything at that website that requires any type of personal information (user name, password, email address) period.

We live in a digital landscape that is highly supportive of providing the means for hackers to continue to hack. The irresponsibility of some web administrators/developers often lacks education, common sense or web-savvy smarts on how to protect user personal data from online threats. It isn’t like the information on the “How To” isn’t out there. Sometimes people are simply too lazy about Internet security and client privacy or they just don’t think that interception by a hacker (via sniffing HTTP traffic, injection or other means) could ever happen at their site. Dream on…

Web Administrators/Developers (take note)

All forms on the web should be encrypted by default.

Don’t you think it is time to get your SSL training pants on and dump the HTTP dirty diapers? If you provide a login form at your site, you should anticipate that your traffic could be intercepted and hacked. Did you forget that an HTTP login form can be compromised between the client and server? When collecting user data at any website it is important that web administrators and developers show a little respect and make an effort to secure all website forms. I strongly believe that all forms on the web that collect user information should be encrypted by default. If it is a matter of affordability , there are inexpensive options available to you. You can move your domain to NameCheap ($9.69 per year) and purchase a RapidSSL Certificate for as low as $10.95 per year.



Update 7/23/2012

Make HTTPS the default and offer an HTTP login alternative for situations like this:

I strongly disagree. I currently live in Iran, and sometimes (just for fun, I guess – see here for an example:, they disallow all encrypted connections (to/from outside the country) and every single website/service that uses SSL and is located outside of the country stops working.

Sure, now they can easily sniff my HN password (which I don’t use anywhere else) and could abuse it, but I don’t give the slightest damn about it. I’d create a new account (though it’s not ideal as I’d lose my karma and can’t downvote objectionable/trollish comments). My HN profile is probably the least valuable online account I have; I don’t care if it gets removed or hacked. It’s more annoying for me if I couldn’t login at all.

Of course, your use case most certainly differs from mine; which is why I think it’s a good idea to show HTTPS login form by default. But please always allow a less-secure but probably more reliable option for logging in when you’re creating a login form for non-commercial sites like HN. —Hacker News

Note: I overlooked situations like the above. The solution would be to offer HTTPS by default and an alternative HTTP login. Use a disposable email with an account that leads to nowhere and a one-time password.

2 comments to Are your login forms wearing HTTP dirty diapers? (Updated)

  • honest diaper  says:

    Looking for the honest diaper which really seems to be best in all.

    • teksquisite  says:

      Huh! I’m sure you are = removed your link…


Leave a reply