Does anyone know a good explainer text why hybrid HTTP/HTTPS solutions (aka "only login encrypted") are always insecure?
-
-
Replying to @hanno
the "login page and form target both HTTPS" kind or the "form target only" kind?
1 reply 0 retweets 0 likes -
-
e.g. if you have a https login page, but people get to the login page from the http start page, that doesn't help either.
1 reply 0 retweets 0 likes -
Replying to @hanno
well, at least then you can't just grab the password from autofill anymore. Not saying it's a sane idea, but better than nothing.
1 reply 0 retweets 0 likes -
(Chrome autofills passwords, even in frames, and autofilled creds can be grabbed from JS w/o user interaction)
1 reply 0 retweets 1 like
(so a MITM attacker can iirc just grab your saved creds for all http sites he knows w/o user interaction)
9:46 AM - 10 Oct 2016
0 replies
0 retweets
0 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.