Is it secure for a site to serve the login page with HTTPS from a trusted CA but have HTTP for non-login pages

Question

I've never encountered this scenario but would the security implications be to such a website?

score 2 · Answer 1 · answered Nov 30 '17 at 05:24

2

Not really. If the user is on a HTTP non-login page, and clicks on a 'login' button, unlikely he/she is going to notice if the login is now using HTTPs or HTTP.

Best to have the entire site on HTTPs.

answered Nov 30 '17 at 05:24

Sunil Agrawal

147
3

In addition, authentication data for subsequent requests is stored in cookies and are served over plain HTTP. Attacker can sniff them and use to authenticate the user without having to know actual credentials. Something like pass the hash attack. – Crypt32 Nov 30 '17 at 06:12

Is it secure for a site to serve the login page with HTTPS from a trusted CA but have HTTP for non-login pages

1 Answers1