Quick HTTPS question

[itPro]

I figured out what is exactly going on. As I theorized with the information gathered from the log file, there is indeed another page being loaded within the page. It's not easily noticed on the page by right-clicking in order to look for an iframe, either, which is also the reason why I did not think that there was an iframe and why I did not think the process was secure to begin with.

Here is the code: "<iframe id="loginframe" name="loginframe" src="http://mfasa.chase.com/auth/login.html" width="0" height="0" frameborder="0" scrolling="no" marginheight="0" marginwidth="0"></iframe>
<!-- end login_module_shared -->"

(Notice that the size of the iframe is 0 pixels by 0 pixels. You won't find that iframe by right-clicking anywhere on the page that you can see.)

For the record, that doctor in the other article that suggested that the action part of the submit button ensured encryption prior to the data being sent was indeed WRONG. When you submit a form and the action part attempts to go to https://chaseonline.chase.com/sitemi...s/formpost.fcc , you are really asking the domain name server what IP you're going to connect to. That's it. The form data is then sent to the server at that IP and the server decides what to do with it. What is really going on here is that the http://mfasa.chase.com/auth/login.html (not secure) is being opened, then auto-submitted and replaced with an https page (secure). That public key transaction is what encrypts the contents of your username and password before it is sent out. The action part of the URL only lets you know that it is going to a secure server and that the reply you get back will also be encrypted.

I love it when I prove that I am smart. This also is another prime example of why you don't take someone else's word for it, and never assume that someone else is smarter than you, regardless of their education or job title.

Computernerd22, I really hope you paid attention.

If that iframe wasn't there, that 'client' would have been correct. The fact that it is there gives a reasonable indication that I was correct in saying that no encryption takes place until after a response comes back from an https request and that data submitted via the form with this request is also not encrypted during submission. Why else would they need to establish the handshaking process first via the iframe?

Negative, that quote does not contain an error, so your use of "(sic)" is no longer appropriate. lol You are indeed logging in on an unsecure page. It is, after all, http and we all know that http is not secure. The method of transportation is over https, but that doesn't make the quote inaccurate.