What is the diff. between Http and HTTPS. secure and unsecure testing in wab based application.
Printable View
What is the diff. between Http and HTTPS. secure and unsecure testing in wab based application.
HTTP and HTTPS are protocols.
YOu are talking about protocol testing, or web application access using HTTPS, the test case are same as for http access, just you have to made more securitytest cases related to https access.
HTTP and HTTPS are protocols, used for transferring data through Web of which HTTPS is a secured service used mainly in Intranet applications and in the application which requires a very secured access such as application used for Internet banking, online shopping etc.,. HTTPs is used mostly in the Dynamic data.
Mostly the test cases for both will be same, but HTTPS requires more test cases which tests its security. Some of the extra test cases which you will be executing for HTTPS web pages are
- the application is not accessible if left alone for some period of time
- Only the users from the privileged group can login to the application
- Should ask for a password change once in a month
- should get locked if the wrong password is entered for more than three times
- For Intranet applications should be accessible only within the network
- All the information stored should be secured.
Regards,
Ganesan
[QUOTE=sridharrganesan;23931]HTTP and HTTPS are protocols, used for transferring data through Web of which HTTPS is a secured service used mainly in Intranet applications and in the application which requires a very secured access such as application used for Internet banking, online shopping etc.,. HTTPs is used mostly in the Dynamic data.
Mostly the test cases for both will be same, but HTTPS requires more test cases which tests its security. [B]Some of the extra test cases which you will be executing for HTTPS web pages are
- the application is not accessible if left alone for some period of time
- Only the users from the privileged group can login to the application
- Should ask for a password change once in a month
- should get locked if the wrong password is entered for more than three times
- For Intranet applications should be accessible only within the network
- All the information stored should be secured.[/B]
Regards,
Ganesan[/QUOTE]
Hi ganesan,
I use gmail using https only, but the test cases you have written here, all fail in my scenario, it means, gmail https is not correct or the test case, where is the problem?
Hi Brijesh,
The test cases I have mentioned will be followed in most of the web pages using HTTPS. I think you can the below test cases in gmail also. Also I dont know what are the security factors they are looking for gmail.
- Only the users from the privileged group can login to the application, which means the user who have the account created can only login. But this is common in HTTP site also.
- should get locked if the wrong password is entered for more than certain number of times.
Ganesan
[QUOTE=sridharrganesan;23945]Hi Brijesh,
The test cases I have mentioned will be followed in most of the web pages using HTTPS. I think you can the below test cases in gmail also. Also I dont know what are the security factors they are looking for gmail.
- Only the users from the privileged group can login to the application, which means the user who have the account created can only login. But this is common in HTTP site also.
- should get locked if the wrong password is entered for more than certain number of times.
Ganesan[/QUOTE]
What I can say about it is, it totally depend on SRS how we will handle the security issuse, You know our site geekinterview.com also give only 5 chance to login and then locked the user.But it's not using https, what you say?
Hey People,
It is true that security perspective of a site with regards to the number of Login attempts would not be decided by https or http protocols. It is more or less dependant on the security level as designed by the Dev team.
Https would actually pertain to these points. I picked a few from Sridhar :)
[LIST][*]Session Timeout - Application Idle.[*]Accessing the application outside a Secure network.[*]Accessing the same site with http within the Intranet network.[*]Secure methods of Information transferring meaning Should not use the GET method as part of URL. It should use the Secure Socket Layer encryption.[*]Testing whether Data interruption is possible in transit - use Man in the Middle Attacks, Eavesdropping etc.[/LIST]
Cheers...
Hi Brijesh,
Yes, you are correct. The number of login attempt is based on the SRS, not specific for http or https. Also, Umesh had included some more points regarding the difference.
Regards,
Ganesan
[QUOTE=bizzzzzare;23979]Hey People,
It is true that security perspective of a site with regards to the number of Login attempts would not be decided by https or http protocols. It is more or less dependant on the security level as designed by the Dev team.
Https would actually pertain to these points. I picked a few from Sridhar :)
[LIST]
[B][*]Session Timeout - Application Idle.[*]Accessing the application outside a Secure network.[*]Accessing the same site with http within the Intranet network.[*]Secure methods of Information transferring meaning Should not use the GET method as part of URL. It should use the Secure Socket Layer encryption.[*]Testing whether Data interruption is possible in transit - use Man in the Middle Attacks, Eavesdropping etc.[/B][/LIST]
Cheers...[/QUOTE]
Don't mind friends,
But i am not still satisfied with your answers.
1) As you told about time out, it's again depend on SRS, What session time you have set for application.Our geek site also get session timeout if left idle for some time.
2) definately https is a secure network, so no comment.
3) Use use the "get' method or "set" method, it's on development.
Let do more brainstroming on this question, what you say?
Hi Brijesh,
Our Geek site will be session time out if we left idle for some time but it only log out the member but the page will be available. But if you look into the secured site such as net banking if you refresh the page after some time left idle it will display the error page.
Definitely, we can discuss and brainstrom on this regard.
Regards,
Ganesan
Hey Brijesh,
Defintely a nice idea to have a brainstorm and come to a very appropriate conclusion on testing https and http applications. :)
One small thing I would like to clarify -
[QUOTE]Use use the "get' method or "set" method, it's on development[/QUOTE].
Incase we are trying to test a Https site, the use of Get method would classify as a defect coz it would then enable eavesdropping. Prevention of Eavesdropping is a primary reason we opt for Https site.
So we can definitely include it as part of our testcase to ensure that only Secure Socket Layer methodology of data submission is used.
Cheers.....
[QUOTE=sridharrganesan;24055]Hi Brijesh,
Our Geek site will be session time out if we left idle for some time but it only log out the member but the page will be available. But if you look into the secured site such as net banking if you refresh the page after some time left idle it will display the error page.
Definitely, we can discuss and brainstrom on this regard.
Regards,
Ganesan[/QUOTE]
yes, you will get the error the message and the reason for that if user is going to leave secure connection, and this is the exact we should test when testing https, it is the protocol functionality not of the application.