Try Submit for the SSL Version of Login Page

Even though it is well known and easy to understand why it is a bad idea to serve login pages unencrypted, many organizations still do so. They claim that all is well since the page actually submits to a secure URL. Of course the problem is that the insecure page can be spoofed, so there really are no guarantees at all about that secure submit URL. There is even an unprotected login hall of shame page listing some notable examples.

For quite a long time ago I actually stumbled into a funny feature present on many such unprotected login pages. If you just hit submit (or login, or whatever the button says), you will often be redirected to the SSL-protected version of the login page. The first one that comes to mind where this works is LinkedIn. The way I found this is that I knew I had configured Firefox to remember my login for a site, yet when I went back Firefox did not fill in the login information. Looking in the password manager I noticed the login information was saved, but for the SSL version. I just decided to hit submit without password to see what would happen, and was glad to notice I ended up on the SSL-version of the page where Firefox promptly filled in the login information.

Similar Posts:

    None Found