On Thu, 8 Jul 2004, Mikael Bohlin wrote:
> - When a user logs on to the Captive portal page, it performs a HTTP POST
> sending the user ID and password in clear text. Any user with a network
> sniffer will easily find the others credentials... Can this be changed into
> a HTTPS-POST??? It would add a lot of security into it.
Sounds like a good idea, but since some browsers check consistency of
"security" between the GET and the POST, it would be best if the initial
page were served by HTTPS as well, even though it's not really sensitive.
Though in some sense it *is* sensitive, since a spoofed page could
"securely" send your credentials to a different server. Unfortunately,
having a "real" certificate for the m0n0wall rather than a self-signed one
would probably cost "real" money.
Is the HTTP/HTTPS choice tied to the WebGUI option?
Not all browsers check this sort of thing. On at least three separate
occasions, I found sites' "secure" web pages explicitly using http:// URLs
for the POSTs. So the *blank* forms were secure, but the filled-in
versions weren't. :-)