InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

Forcing a website to use https all the time

https://forums.informaction.com/viewtopic.php?t=2134

Page 1 of 1

Forcing a website to use https all the time

Posted: Mon Jul 27, 2009 8:36 pm
by phule
Is it possible to force a website to use https all the time using NS>options>advanced>https>behavior?

I'm referring to the website http://www.igourmet.com which has a non-secure homepage but a secure login page. However entering the requested email address & password and clicking on the login link, a Security warning pop-up appears. It states that while the page is encrypted, the data will be sent via a non-secure connection. I tried adding *.igourmet.com to NS>options>advanced>https>behavior but it didn't work.

Any ideas/suggestions? :?:

Re: Forcing a website to use https all the time

Posted: Mon Jul 27, 2009 9:07 pm
by Giorgio Maone
You don't have to worry about that warning: it is issued because the action attribute of the form you're submitting contains a http: URL.
However NoScript turns this URL into https as soon as the request starts.

Re: Forcing a website to use https all the time

Posted: Tue Jul 28, 2009 12:27 am
by therube
Should it show the login/pw in plain text (on my end at least)?
Should it show https: somewhere?
(And it knows you too, in the cookie. Darn cookies!)

Code: Select all

http://www.igourmet.com//myAccount/login_process.asp

POST //myAccount/login_process.asp HTTP/1.1
Host: www.igourmet.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1pre) Gecko/20090717 SeaMonkey/2.0b1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Keep-Alive: 300
Connection: keep-alive
Cookie: index%5Flanding%5Fpage=http%3A%2F%2Fforums%2Einformaction%2Ecom%2Fviewtopic%2Ephp%3Ff%3D7%26t%3D2134%26sid%3D49ccc5f6e00cdd254d0027e398a56abe; ASPSESSIONIDAATQBRQT=OECFFBMCJKJGPEPAOCCOLJAI
Content-Type: application/x-www-form-urlencoded
Content-Length: 67
redirect=&email0=abc%40def.com&password0=igour&Login.x=84&Login.y=4
HTTP/1.x 302 Object moved
Date: Tue, 28 Jul 2009 00:10:35 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Location: error.asp?err=acct600a&link=login.asp
Content-Length: 162
Content-Type: text/html
Expires: Tue, 28 Jul 2009 00:10:35 GMT
Cache-Control: private
PS: And the login page itself has a broken SSL warning. But that doesn't matter if you're forcing https:?

Woops. Forgot I had taken igourmet.com out of https:.

Again, this time with igourmet.com in force https:

Code: Select all

https://www.igourmet.com//myAccount/login_process.asp

GET //myAccount/login_process.asp HTTP/1.1
Host: www.igourmet.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1pre) Gecko/20090717 SeaMonkey/2.0b1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Keep-Alive: 300
Connection: keep-alive
Cookie: index%5Flanding%5Fpage=http%3A%2F%2Fforums%2Einformaction%2Ecom%2Fviewtopic%2Ephp%3Ff%3D7%26t%3D2134%26sid%3D49ccc5f6e00cdd254d0027e398a56abe; ASPSESSIONIDAATQBRQT=OECFFBMCJKJGPEPAOCCOLJAI

HTTP/1.x 302 Object moved
Date: Tue, 28 Jul 2009 00:19:29 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Location: http://www.igourmet.com/
Content-Length: 145
Content-Type: text/html
Expires: Tue, 28 Jul 2009 00:19:29 GMT
Cache-Control: private
OK, this time the login/pw is not being transmitted in plain text.

There is a difference. With force https:, with my invalid login attempt, there is no feedback given. I am simply redirected back to the home page rather then the Invalid account or incorrect password page.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited