Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] [HTTPS-Everywhere] httpS log-on page

Drake, Brian brian2 at drakefamily.tk
Sat Jun 25 01:19:29 PDT 2011


This is a Firefox message. It means that although the page containing the
form was loaded over a secure connection, the URL for the form submission is
to be accessed over a non-secure connection. Getting around such
“subversion” is the one of the main points of HTTPS Everywhere.

I had always assumed that HTTPS Everywhere still works in cases like this,
but only intercepts the request after the warning you quoted is displayed to
the user. It does work, right?

(It should also be noted that this is often the result of less
security-conscious (negligent?) developers innocently hardcoding HTTP URLs
into pages, rather than an actual attempt to avoid the use of HTTPS.)

On Sat, Jun 4, 2011 at 0758 (UTC-8), Frank Corrigan <
email at franciscorrigan.com> wrote:

>
> The blog provider tumblr.com has introduced a very annoying override on
> it's httpS log-on page, when the log-in button is pressed a Security
> Warning pops up with:
>
> "Although this page is encrypted, the information you have entered is to
> be sent over an unencrypted connection and could easily be read by a
> third party.
>
> Are you sure you want to continue sending this information?"
>
> View screen capture:
> https://franciscorrigan.files.wordpress.com/2011/06/tumblr-https.png
>
> I am not seeking technical help, just to alert list members to the
> subversion of https when entering passwords and usernames/email
> addresses. Which follows on from wordpress.com removal of the S in httpS
> for any https based url posted on a blog hosted under wordpress.com,
> when the posted httpS url is also a wordpress.com blog. (like the one
> above...)
>
> Frank
>
> _______________________________________________
> HTTPS-everywhere mailing list
> [snip] <https://mail1.eff.org/mailman/listinfo/https-everywhere>
>

--
Brian Drake

Alternate (slightly less secure) e-mail: brian at drakefamily.tk
Alternate (old) e-mail: brianriab at gmail.com

Facebook profile: Profile ID
100001669405117<https://ssl.facebook.com/profile.php?id=100001669405117>
Twitter username: BrianJDrake <https://twitter.com/BrianJDrake>
Wikimedia project username:
Brianjd<https://secure.wikimedia.org/wikipedia/meta/wiki/User:Brianjd>(been
inactive for a while)

All content created by me
Copyright<http://www.wipo.int/treaties/en/ip/berne/trtdocs_wo001.html>©
2010–2011 Brian Drake. All rights reserved.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20110625/a2de8760/attachment.html>


More information about the liberationtech mailing list