No More Passwords over HTTP, Please! | Tanvi Vyas

The embedding page is checked against the algorithm in the W3C’s Secure Contexts Specification to see if it is secure or non-secure.

Anything on a non-secure page can be manipulated by a Man-In-The-Middle (MITM) attacker.

The MITM can use a number of mechanisms to extract the password entered onto the non-secure page. Here are some examples:

Source: No More Passwords over HTTP, Please! | Tanvi Vyas

Advertisements