[RESOLVED] a banking site SSL conundrum

sandthipe

take a look at the Regions bank homepage. http://www.regions.com

you'll notice that the online account login is located on a page that is not encrypted. yet they claim your login is (or rather will be) encrypted when you press 'log in'. i can see that they are using a javascript function to submit the form to a secure page, but here is my question:

if you post data from an unsecure page to a secure page, will that data be encrypted before it gets there? i've always thought it did not work that way, but Regions bank seems to do it this way.

any thoughts? just curious.

here's the javascript page that handles the login: http://www.regions.com/js/loadMedia.js - function is called loginSubmit()

sneakyimp

The function loginSubmit is what is called when you click login. The first thing it does is validate your input. This all happens on your local computer. The 2nd thing it does is change the action attribute of the form to a secure URL:

document.forms[0].action='https://securebank.regions.com/login.aspx?brand=regions';

only after it has done that will it submit the form.

sneakyimp

Now that I think about it, if you don't have javascript, this could be a problem. I don't know if that form would even submit if you don't have javascript. It seems a bit unsafe to me.

sandthipe

yeah, it doesn't seem very secure to me either. functionally, what is the difference between having JS set the form action and just setting it in the HTML? either way, you're posting data from an insecure page to a secure one, right? and that would make the data transfer insecure. i couldn't find another bank that does it this way; i'd like to hear the Regions' web developer's explanation for this procedure.

sneakyimp

If you have javascript that allows the action of the form to be set, it should be fine. the javascript will change the action of the form to send any data to the secure URL. It will never be sent to any other.

If your browser has lame or no javascript, the form may not work right.

Weedpacket

sandthipe wrote:
if you post data from an unsecure page to a secure page, will that data be encrypted before it gets there? i've always thought it did not work that way, but Regions bank seems to do it this way.

The URL the form data is SSL. So the client opens a connection to https://www...., then it and the server negotiate an encryption protocol to use, exchange keys, and so forth. Once that's done, the form data is submitted over the resulting channel.

In other words, encryption is established before any subsequent HTTP transaction. So yes, the submitted form data is encrypted.

sandthipe wrote:
what is the difference between having JS set the form action and just setting it in the HTML?

It's an ASP.NET page; the entire page is a form that submits back to itself (which makes you wonder why they don't use ASP.NET to handle the login). So,

sneakyimp wrote:
I don't know if that form would even submit if you don't have javascript.

The login button stops working; even if you did manage to submit the form, it would just keep reloading the home page. Yay. We don't want your custom. Go away.

sandthipe

sneaky and weed, thanks for your thoughts. weedpacket, i'm curious if, in a similar system built on PHP, you could accomplish the same security. or is it only possible b/c of .NET's postback?

if regions bank had used PHP would either of these login procedures work?

<form action='https://www...'> - straight html form submission
<input type='submit' onclick='loginSubmit();' /> - JS form submission

not trying to belabor the subject, but, as a regions customer, it concerned me, and also, as a developer, it will be good to have this knowledge under my belt for future clients.

thanks again!

sneakyimp

I think weedpacket was trying to say that the data that you enter in the form will be encrypted when you submit it AS LONG AS THE ACTION REFERS TO AN HTTPS URL (assuming of course that the certificate and server are all set up correctly, etc., etc.). It really makes no difference whether the form is hosted securely because you download the form without any sensitive data in it -- it's just an empty form which gets downloaded to your machine.

Once you have downloaded the form, you type in your secret stuff and hit that button. Technically speaking, that button doesn't submit the form. It just calls some javascript and that javascript changes the action of the form to point to a secure url and only when that has been done is the form submitted with a form.submit() call.

putting the https URL in the action of your form should be enough to ensure that the data in transit is encrypted.

The second approach you suggested is exactly what this form does -- but it doesn't submit the form until after it changes the action to a secure url.

Weedpacket

sneakyimp's right; whether it's encrypted or not isn't anything to do with ASP.NET. The ASP.NET aspect does go part way to explaining the JavaScript hoops, which are a different matter.

sandthipe

wow. thanks! this has been a great lesson for me. i appreciate you both taking the time to think through this with me!