File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Security and the fly likes Can the padlock be spoofed? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of OCM Java EE 6 Enterprise Architect Exam Guide this week in the OCMJEA forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Can the padlock be spoofed?" Watch "Can the padlock be spoofed?" New topic
Author

Can the padlock be spoofed?

Kumar Raja
Ranch Hand

Joined: Mar 18, 2010
Posts: 518
    
    2

Hi,

We know that on accessing https url, we see a small padlock icon on the bottom of the browser window. I'm curious if this padlock is set by the page designer when the page is designed, or would that be added by the browser, when it accesses a HTTPS url. Please clarify.


Regards
KumarRaja

Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41634
    
  55
It's set by the browser, and indicates it retrieved the page over SSL. But that does NOT mean that if you see the padlock, any form you're going to submit will be encrypted: The form could have been retrieved in a frame that was loaded over HTTP, or a form submit could go to an HTTP URL. Either way - no encryption.


Ping & DNS - my free Android networking tools app
Kumar Raja
Ranch Hand

Joined: Mar 18, 2010
Posts: 518
    
    2

Thanks Ulf.

Are you saying that, just because the padlock is appearing on browser and the url is listed as https, the form submitted need not be over ssl. How can this be possible? Can you please explain that ?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41634
    
  55
I mentioned two ways in which this can happen. Did you have questions about one or the other in particular?
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Can the padlock be spoofed?