This week's book giveaway is in the Servlets forum.
We're giving away four copies of Murach's Java Servlets and JSP and have Joel Murach on-line!
See this thread for details.
The moose likes Security and the fly likes Can the padlock be spoofed? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Can the padlock be spoofed?" Watch "Can the padlock be spoofed?" New topic
Author

Can the padlock be spoofed?

Kumar Raja
Ranch Hand

Joined: Mar 18, 2010
Posts: 518
    
    2

Hi,

We know that on accessing https url, we see a small padlock icon on the bottom of the browser window. I'm curious if this padlock is set by the page designer when the page is designed, or would that be added by the browser, when it accesses a HTTPS url. Please clarify.


Regards
KumarRaja

Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41065
    
  43
It's set by the browser, and indicates it retrieved the page over SSL. But that does NOT mean that if you see the padlock, any form you're going to submit will be encrypted: The form could have been retrieved in a frame that was loaded over HTTP, or a form submit could go to an HTTP URL. Either way - no encryption.


Ping & DNS - my free Android networking tools app
Kumar Raja
Ranch Hand

Joined: Mar 18, 2010
Posts: 518
    
    2

Thanks Ulf.

Are you saying that, just because the padlock is appearing on browser and the url is listed as https, the form submitted need not be over ssl. How can this be possible? Can you please explain that ?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41065
    
  43
I mentioned two ways in which this can happen. Did you have questions about one or the other in particular?
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Can the padlock be spoofed?
 
Similar Threads
servlet response does not show ssl insignia
URGENT !!!!
Tomcat ssl configuration error
how the icons representing no. of post work
Redirecting to a HTTPS site