Tweet
Hello, a client is looking to implement FaaS for their donations.
I have a question / possible concern going from a NON-SSL page to an SSL POST request. We would be posting to FaaS which is SSL from our non-SSL form, which seems to be the normal implementation.
So this raises a few questions for me
1. There will be no HTTPS visible when the user submits the form. The user may not know that the form is secure.
2. The site could be vulnerable to MITM (man in the middle) attacks
Please see the following for an explanation of number 2
http://stackoverflow.com/questions/6130436/is-posted-information-from-non-ssl-to-an-ssl-secure
There seems to be some contention about the possibility of the second item, so before raising any red flags, I want to consider the probability of occurrence and accepted practice in this instance.
Any insights would be greatly appreciated
I have a question / possible concern going from a NON-SSL page to an SSL POST request. We would be posting to FaaS which is SSL from our non-SSL form, which seems to be the normal implementation.
So this raises a few questions for me
1. There will be no HTTPS visible when the user submits the form. The user may not know that the form is secure.
2. The site could be vulnerable to MITM (man in the middle) attacks
Please see the following for an explanation of number 2
http://stackoverflow.com/questions/6130436/is-posted-information-from-non-ssl-to-an-ssl-secure
There seems to be some contention about the possibility of the second item, so before raising any red flags, I want to consider the probability of occurrence and accepted practice in this instance.
Any insights would be greatly appreciated
Comment