Secure popup login possible?

Question

I have a login form that is hidden on every page and shows itself onClick when needed instead of setting off a new page request.

It has been brought to my attention that in order for a login to really be secure the form action should point to a https page but also the login form itself should be on a https page.

Is there a way I can make the pop up login form secure without making the whole site https?

I think it is possible. You could try using a javascript function that opens a login popup with a HTTPS address. — auroranil, Jan 17 '12 at 00:25

score 4 · Accepted Answer · edited May 23 '17 at 12:09

Using an AJAX pop-up (or an iframe) that goes (in theory) to https:// on an http:// page presents two problems:

An attacker could intercept the page and replace the link with his own.
This prevents the user from checking to which site it's connected to.

The 1st problem is related to this question (not specific to AJAX pop-ups, but for having the login page over plain HTTP, also discussed on Security.SE). This goes against this OWASP recommendation:

The login page and all subsequent authenticated pages must be exclusively accessed over TLS. The initial login page, referred to as the "login landing page", must be served over TLS. Failure to utilize TLS for the login landing page allows an attacker to modify the login form action, causing the user's credentials to be posted to an arbitrary location.

Essentially, a MITM could modify the page you use to server that login box to replace it with their own: the user wouldn't be able to notice the difference (at least until it's too late).

The 2nd problem is that it's actually a good thing to see you have connected (and also about to connect for the next step) to the website you want in the address bar. Anyone can have a valid https:// site: mybank.example.com and attackers.example.com could both have a valid certificate issued by a trusted authority. If I connect to my bank, I want to know it's to my bank I'm connected over HTTPS. Sending credentials to a https:// site from a popup or an iframe hides the real target website.

This problem can also happen when the initial page is served over HTTPS, as unfortunately demonstrated by the 3-D Secure system (these people should know better, really!).

In short, don't use an iframe or a popup, and do serve the page where you present the login form over HTTPS.

score 2 · Answer 2 · answered Jan 17 '12 at 00:05

2

Short of wrapping the entire site in a SSL protocol, the only other option for this would be to have the Pop-up form be an IFRAME that points to another page with the form that resides on an HTTPS connection.

answered Jan 17 '12 at 00:05

Drahkar

1,694
13
17

Which of those 2 options would you choose? I'd imagine the SSL wrapper would slow things down and the iframe would add bloat... – chris Jan 17 '12 at 00:18
If your script dynamically injects the iframe upon clicking for it to popup, this would not increase overhead. – King Friday Jan 17 '12 at 00:20
I would have to agree with that. Iframe's should **be avoided** if possible for secure connections . – auroranil Jan 17 '12 at 00:27
So SSL wrapper is the only secure option? – chris Jan 17 '12 at 00:34
Honestly, if you are that concerned about security, I would just put the entire site behind an SSL Cert. Problem solved. It doesn't add any overhead to the existing process and solves your concerns. That being said, you have to remember that if you are submitting your form to a HTTPS site, then you are pretty much covered at that point. It would be different if they were actively typing their password into an active connection, but websites don't work that way. When they connect to your site, they download everything to their browser. When they submit the form, its on a secure connection. – Drahkar Jan 17 '12 at 00:45
Thanks for your responses. What you describe was my original understanding but today a more senior dev told me that I would be open to attacks if the form itself is not behind an SSL Cert. Is he mistaken? – chris Jan 17 '12 at 00:51
I'm tempted to just scrap the swanky login and just put on its own page. Googling around I see the big boys have their forms behind SSL Certs – chris Jan 17 '12 at 00:54
He's not wrong. The best solution is to have the entire login process behind a SSL cert. A common practice is to have the username request in the nice and pretty pop-up and then shift to a secure URL for the rest of it. – Drahkar Jan 17 '12 at 00:56
I would also add the comment on IFRAMES being avoided are really personal preference. I personally don't favor them, but they are a valid and reasonable option for implementing things. – Drahkar Jan 17 '12 at 01:02
@chris If the document with the login form is not served via HTTPS, it is possible that the document is tampered, e. g. with a different form action URL that points to a third party site. – Gumbo Jan 17 '12 at 09:03

score 1 · Answer 3 · answered Jan 17 '12 at 02:27

1

If initial request is being served by HTTP and you are using same channel to provide "HTTPS" links/forms etc, attacker will simply change that HTTPS to HTTP.

This has been demonstrated by Firesheep

What you can do is to serve HTTPS form over HTTP but enable HTTP Strict Transport Security

Of course, I am assuming you are going to have link like https://login.site.com which will be served by http://www.site.com ... this way you have to create SSL certificate only for sub-site/ one virtual host

answered Jan 17 '12 at 02:27

gauravphoenix

2,814
3
25
33

What do you mean by that the “attacker will simply change that HTTPS to HTTP”? – Gumbo Jan 17 '12 at 08:59
attacker will use any of the Man In the Middle attack tools to swap HTTPS with HTTP – gauravphoenix Jan 17 '12 at 10:49

Secure popup login possible?

3 Answers3

Linked