php - Secure popup login possible?

Question

I have a login form that is hidden on every page and shows itself onClick when needed instead of setting off a new page request.

It has been brought to my attention that in order for a login to really be secure the form action should point to a https page but also the login form itself should be on a https page.

Is there a way I can make the pop up login form secure without making the whole site https?

Answer 1

Using an AJAX pop-up (or an iframe) that goes (in theory) to https:// on an http:// page presents two problems:

1. An attacker could intercept the page and replace the link with his own.
2. This prevents the user from checking to which site it's connected to.

The 1st problem is related to this question (not specific to AJAX pop-ups, but for having the login page over plain HTTP, also discussed on Security.SE). This goes against this OWASP recommendation:

The login page and all subsequent authenticated pages must be exclusively accessed over TLS. The initial login page, referred to as the "login landing page", must be served over TLS. Failure to utilize TLS for the login landing page allows an attacker to modify the login form action, causing the user's credentials to be posted to an arbitrary location.

Essentially, a MITM could modify the page you use to server that login box to replace it with their own: the user wouldn't be able to notice the difference (at least until it's too late).

The 2nd problem is that it's actually a good thing to see you have connected (and also about to connect for the next step) to the website you want in the address bar. Anyone can have a valid https:// site: mybank.example.com and attackers.example.com could both have a valid certificate issued by a trusted authority. If I connect to my bank, I want to know it's to my bank I'm connected over HTTPS. Sending credentials to a https:// site from a popup or an iframe hides the real target website.

This problem can also happen when the initial page is served over HTTPS, as unfortunately demonstrated by the 3-D Secure system (these people should know better, really!).

In short, don't use an iframe or a popup, and do serve the page where you present the login form over HTTPS.