I have a web app which works via https. A prospective user can visit the app via a non-secure URL (i.e. http://www.mywebsite.com) but when they do so, I have arranged the app to present a “Non-Secure” page, and then offer a button to redirect to the secure entry.
I do not know if this button is a good idea. Is it the kind of thing that can be hijacked by a MITM ?
Your opinions are received with gratitude.
Regards,
Tony Barry
Sydney
It’s perfectly acceptable. Even more desirable is just to detect they are in the non SSL version and then redirect to the SSL version automatically.
Someone could in theory hack your server, change the button to go to a different secure site, and pretend its yours. Their SSL certificate wouldn’t match yours but who checks SSL certificates? That’s why they invented EV certificates so the green bar tells you who it is.
Thank you Phillip.
I have the regular SSL but not the Extended Validation Cert.
You are right - checking the little padlock is only done by the paranoid.
Regards,
Tony Barry
Sydney