Hacker News new | past | comments | ask | show | jobs | submit login

I can use LWP, Curl, Wget, etc. to submit a form over https to any HTTP server.

I am unaware of any protocol semantics that allow an HTTP server to determine how the submitted data was marshaled.




Eh? I think you misunderstand me.

As Facebook learned, submitting to an HTTPS server isn't enough, the form must be too. Otherwise you can be man-in-the-middle attacked on the form page. Better yet, serve everything over HTTPS, so people can't change the links.


So what what you mean to say is that if you don't use SSL all the time, somebody with a sniffer can pull you session ID out of the air and impersonate you by hijacking your session.

That's VERY different for a man-in-the-middle attack.

Do you think the coffee shop should have offered encrypted wifi?


Google 'ssl man in the middle attacks' and you'll see that SSL does not prevent man-in-the-middle attacks.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: