How does https really work?
1 posts in topic
Flat View  Flat View
TOPIC ACTIONS:
 

Posted By:   Anonymous
Posted On:   Thursday, March 31, 2005 11:24 AM

Hi everyone, I have a question on a particular way to use https that, at first look, seems incorrect. I noticed that some sites ( Paypal.com, americanExpress.com ) do not use the same pattern that everybody else does. That pattern is as follows: As soon as I am redirected on the page of the site that contains the login form, the browser displays allready an https url. Therefore, when I hit the submit button on the login form, my user name and password is encrypted because both the page I'm on and the page that is being called ( or servlet, whatever ) resides on an https protocol. I always thought that this was the only way to go. Now, as I said earlier, I noticed that some sites use a different way that mechanism... There way is the same w   More>>

Hi everyone, I have a question on a particular way to use https that, at first look, seems incorrect. I noticed that some sites ( Paypal.com, americanExpress.com ) do not use the same pattern that everybody else does. That pattern is as follows:

As soon as I am redirected on the page of the site that contains the login form, the browser displays allready an https url. Therefore, when I hit the submit button on the login form, my user name and password is encrypted because both the page I'm on and the page that is being called ( or servlet, whatever ) resides on an https protocol. I always thought that this was the only way to go.

Now, as I said earlier, I noticed that some sites use a different way that mechanism... There way is the same way that I just described except that the page that contains the login form, does not display the https protocol...

In fact, if you type www.paypal.com, you will get the login page but the browser will not display https as the protocol being used. If you look at the source code however, the action of the form is an https page.

So, when I first noticed how Paypal works, I thought that the username and password were not protected while they were sent to the https page. But I installed a sniffer on my pc to see if I would be able to pick up the http package that contains the user name and password and to my surprise, I was not able to snif anything. In fact, when I hit the submit button, I did not pick up any http package at all. I thought that I would at least pick up the http package that contains the username and password who is being sent from an http page to an https page.

So my question is, how does this work? The user information seems protected but I dont undersdtand why because I thought that the page who contains the login form had to be in https.

I hope I was clear enough,
Thanks in advance!

Alexandre Folgueras

   <<Less

Re: How does https really work?

Posted By:   shiladitya_sircar  
Posted On:   Sunday, April 3, 2005 07:19 AM

Ok for starters, HTTP and HTTPS the only difference is one uses an underlined security layer and the other does not. The protocol itself is not secured nor does it have means built on to it. HTTP basically is an application level protocol in order to secure the layer - it uses SSL/TLS. Thus making https as http over SSL. Communication happen on port 443 for https – thus any website implementing client side https packages or protocol extension must adhere to SSL handshaking over clean channel and then fall back on a secured context. For optimization purposes web sited can just implement sensitive information transferred over the internet securely and let all HTML tags and redundant information over clean text. Now this is implementation details, which can vary from various sites. Different sites can use a different handshaking strategy which would implement different SSL context at different layers which is very implementation specific.

I hope I have clarified some of your doubts.
About | Sitemap | Contact