How to create a secure login form with an SSL certificate

1 Star2 Stars3 Stars4 Stars5 Stars (3 votes, average: 4.67 out of 5)
Loading...

Creating a secure login form with an SSL certificate is a must. Here’s how you can do it.

There is always a risk involved when entering your login credentials as a user on a site that is not secured by an SSL certificate. Doing so allows potential attackers to view your username and password in plaintext. The attackers could easily steal information entered by the user in a non-https web-page that hosts the login form. There are several approaches an attacker can take to steal a user’s login information, like phishing, cross-site scripting or man-in-the-middle attacks. Such compromised login details can result into bigger problems like data theft, etc.

Secure login form with an SSL certificate

Mistakes Web-Developers Make

Here are two of the most common mistakes a lot of web-developers end up committing when it comes to creating a secure login form.

    • Ignoring the importance of a secure login form: A lot of developers and website owners neglect the importance of having a secure login form on websites. Without realizing the perils of their actions, these web-developers’ negligence can cause a lot of damage to their visitors.
    • Putting an https login form on an unsecured http page: Generally, an SSL certificate takes more processing power, especially on a high-traffic website. Because of this reason, many developers put the login form on an http page like the home page. No doubt, doing so, the login information submitted by a user does get encrypted, but there are a couple of problems that could arise by taking this approach:
      1. can’t be sure about the login form’s security status: Nowadays, Internet users are trained to look for certain visual cues like a padlock symbol and green address bar that ensures them of a secure web-session. Removing these security icons altogether may leave the users unsure about the security status of a webpage in spite of the submitted information being encrypted.
      2. Attackers can change the form’s action to another URL: When the login forms are transferred to an http page, a cyber-attacker can easily inject a different URL for the form to post. At this point the user would be completely clueless about the login credentials being compromised until the username and password are already sent to the attacker. In an alternate method of stealing the information, an attacker can even inject some JavaScript code to acquire the username and password without the user noticing any unusual activity.

How to create a safe login form using an SSL certificate

Secure login using an SSL certificate

SSL Certificates for www and without

Save Up 75% On Comodo SSL Certificates

Tip: You can typically save a significant amount by buying your SSL certificate direct instead of through your web hosting company. We sell all Comodo SSL certificates at up to 75% off.
Compare SSL Certificates

Now that we are aware about the procedures to be avoided to secure a login form, let’s go over the method of securing it with an SSL certificate. Many websites, including highly trusted bank websites, conveniently used to put their login form on their unsecured home pages. This has caused a lot of trouble to the users submitting their personal information after logging into these sites. Thankfully, on realizing the dire consequences, many sites opted for more secure methods. On such sites, the visitors are forwarded to an ‘https’ page even if they visit their unsecured homepage. In addition to that, EV SSL certificate visual cues like the green address bar eliminate all the possibilities of man-in-the-middle attacks or phishing attacks.

Principally, there are two options available for website owners to create a secure login form. They are:

  1. Create a separate login page which is accessed ONLY using an ‘https’ url.
  2. Implement ‘https’ on the homepage and let the users login from there by including the login form there.  This was found to be more convenient for the users to log in because the majority of users tend to bookmark such ‘secured’ homepage as compared to a separate login page.

As per the Open Web Application Security Project (OSWAP), the worldwide non-profit organization focused on improving the security of software, a login landing page must use an SSL certificate. It clearly states that the very page where the user fills out the form should be an https page. If it is not secure, attackers can modify the page as it is sent to the user and change the form submission location or insert JavaScript which steals the username/ password as it is typed.

Other options to secure a login form: Apart from securing the login page with SSL, there are several other options available. They are:

    • Facebook: Today, almost everyone has a Facebook account. And this social media network easily authenticates its users by using their Facebook username and password. The verification procedure is carried out on Facebook website which is completely secured by an SSL certificate. This option saves users from remembering another set of login/password.
    • OpenID: Just like the Facebook connect, OpenID lets users authenticate on another website. Although it’s not as popular as Facebook, there are many OpenID services available.
    • Twitter: An API offered by Twitter also allows users to log in securely on their site using their Twitter account.

Although, securing a login form of any website may seem like a very small step towards web-security, but without taking this step, users get a negative impression about the website’s security. On the contrary, by protecting a websites’ login form, you are rewarding users’ expectations about a web-security.

It's only fair to share...Share on Facebook
Facebook
0Tweet about this on Twitter
Twitter
Share on LinkedIn
Linkedin
Pin on Pinterest
Pinterest
0