Welcome to the Treehouse Community

The Treehouse Community is a meeting place for developers, designers, and programmers of all backgrounds and skill levels to get support. Collaborate here on code errors or bugs that you need feedback on, or asking for an extra set of eyes on your latest project. Join thousands of Treehouse students and alumni in the community today. (Note: Only Treehouse students can comment or ask questions, but non-students are welcome to browse our conversations.)

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and a supportive community. Start your free trial today.

HTML

What is the most secure way to submt a form

What is the most secure way to submt a form

2 Answers

Casey Clayton
Casey Clayton
16,708 Points

Well if you are taking about username and password forms generally the security and code to make the login happen will generally be handled by a backend language such as Ruby or PHP and only the form itself will be handled in html. If you mean something different please correct me.

This is my personal opinion and is in no way researched fact:

There is no single secure way to submit a form. My first advice is use POST instead GET since you are not including the password in the URL. If you want to further improve security of the transfer of data, it all depends on what type of attack you are expecting. For instance, to combat man-in-the-middle hacks, you would encrypt the form values from the client side using javascript before sending. Of course, the encryption method would've been caught by the MITM anyway, it simply makes it more difficult and thus a less desirable target. This has the drawback that the client browser has to support and enable javascript, and on the server-side you need to be able to efficiently decrypt the data, which can be time consuming depending on the method.

Casey Clayton
Casey Clayton
16,708 Points

With my personal experience doing MITM attacks it really is up to the user on this. There are many ways to intercept the incoming webpage and send an unencrypted version of it to the end user. The reason I say it is up to the user is because this can sometimes throw them an invalid certificate but 90% of end users will just accept and continue on to the site. I have done various tests with MITM against Facebook, Gmail, Yahoo, Hotmail etc and have never had a problem getting the passwords what so ever. Encryption will protect you from people just sniffing the network traffic for passwords however. I have been over this extensively in pen testing courses so do your best to secure it but there will always be someone who can break it.

Good point and I completely agree.

"We start carrying semi-automatic, they start buying semi-automatic. We start wearing kevlar vest, they start buying armor-piercing rounds" (name the movie & finish the quote)

Casey Clayton
Casey Clayton
16,708 Points

I believe this is what Gordon is saying to Batman, in Batman Begins.