Reputation: 2798
How do sites like facebook hide the password details when the url does not start with https?
The facebook home page (http://www.facebook.com/) has an login form on it. It does not redirect me to the https version of the same page. I can submit the form, and it will login me in. I have turned JavaScript off (I am using Firefox), and I don't believe they are using a frame (not that I can imagine how that would help without javascript).
If I was to make a page like this (without https), and I used fiddler to look at the data being posted, I would see the password information was being sent as plain text.
However, when I tried the same thing with facebook, it does not show me anything at all (the text tab in fiddler is blank).
I take it they have encrypted the data in some why. How are they doing this?
Thanks
Upvotes: 0
Views: 351
Answers (1)
Reputation: 38077
While the site you are viewing is not HTTPS, when you click the login button it does a post to https://www.facebook.com/login.php, which is an HTTPS site, thus the data is secured when sent to the server.
Upvotes: 1
Related Questions
- Facebook image URLs - how are they kept from un-authorised users?
- Facebook Connect over https
- Facebook Login recommending to require HTTPS - How to Configure HTTP redirect URL for Facebook Login in ASP.NET MVC?
- How do popular websites allow you to log-in from other websites like Facebook?
- How does Facebook Login ensure that your web application can only be used from your URL?
- Facebook login without SSL
- How does Facebook combine SSL and non-SSL content?
- How does Facebook remember my password?
- Facebook and SSL partially encrypted
- How to send passwords using https?