What is the diff. between Http and HTTPS. secure and unsecure testing in wab based application.
What is the diff. between Http and HTTPS. secure and unsecure testing in wab based application.
HTTP and HTTPS are protocols.
YOu are talking about protocol testing, or web application access using HTTPS, the test case are same as for http access, just you have to made more securitytest cases related to https access.
Regards,
Brijesh Jain
---------------------------------------------------------
Connect with me on Skype: jainbrijesh
Google Plus : jainbrijeshji
HTTP and HTTPS are protocols, used for transferring data through Web of which HTTPS is a secured service used mainly in Intranet applications and in the application which requires a very secured access such as application used for Internet banking, online shopping etc.,. HTTPs is used mostly in the Dynamic data.
Mostly the test cases for both will be same, but HTTPS requires more test cases which tests its security. Some of the extra test cases which you will be executing for HTTPS web pages are
- the application is not accessible if left alone for some period of time
- Only the users from the privileged group can login to the application
- Should ask for a password change once in a month
- should get locked if the wrong password is entered for more than three times
- For Intranet applications should be accessible only within the network
- All the information stored should be secured.
Regards,
Ganesan
Regards,
Brijesh Jain
---------------------------------------------------------
Connect with me on Skype: jainbrijesh
Google Plus : jainbrijeshji
Hi Brijesh,
The test cases I have mentioned will be followed in most of the web pages using HTTPS. I think you can the below test cases in gmail also. Also I dont know what are the security factors they are looking for gmail.
- Only the users from the privileged group can login to the application, which means the user who have the account created can only login. But this is common in HTTP site also.
- should get locked if the wrong password is entered for more than certain number of times.
Ganesan
Regards,
Brijesh Jain
---------------------------------------------------------
Connect with me on Skype: jainbrijesh
Google Plus : jainbrijeshji
Hey People,
It is true that security perspective of a site with regards to the number of Login attempts would not be decided by https or http protocols. It is more or less dependant on the security level as designed by the Dev team.
Https would actually pertain to these points. I picked a few from Sridhar
- Session Timeout - Application Idle.
- Accessing the application outside a Secure network.
- Accessing the same site with http within the Intranet network.
- Secure methods of Information transferring meaning Should not use the GET method as part of URL. It should use the Secure Socket Layer encryption.
- Testing whether Data interruption is possible in transit - use Man in the Middle Attacks, Eavesdropping etc.
Cheers...
Hi Brijesh,
Yes, you are correct. The number of login attempt is based on the SRS, not specific for http or https. Also, Umesh had included some more points regarding the difference.
Regards,
Ganesan
Don't mind friends,
But i am not still satisfied with your answers.
1) As you told about time out, it's again depend on SRS, What session time you have set for application.Our geek site also get session timeout if left idle for some time.
2) definately https is a secure network, so no comment.
3) Use use the "get' method or "set" method, it's on development.
Let do more brainstroming on this question, what you say?
Regards,
Brijesh Jain
---------------------------------------------------------
Connect with me on Skype: jainbrijesh
Google Plus : jainbrijeshji
Hi Brijesh,
Our Geek site will be session time out if we left idle for some time but it only log out the member but the page will be available. But if you look into the secured site such as net banking if you refresh the page after some time left idle it will display the error page.
Definitely, we can discuss and brainstrom on this regard.
Regards,
Ganesan
Hey Brijesh,
Defintely a nice idea to have a brainstorm and come to a very appropriate conclusion on testing https and http applications.
One small thing I would like to clarify -
.Use use the "get' method or "set" method, it's on development
Incase we are trying to test a Https site, the use of Get method would classify as a defect coz it would then enable eavesdropping. Prevention of Eavesdropping is a primary reason we opt for Https site.
So we can definitely include it as part of our testcase to ensure that only Secure Socket Layer methodology of data submission is used.
Cheers.....
Regards,
Brijesh Jain
---------------------------------------------------------
Connect with me on Skype: jainbrijesh
Google Plus : jainbrijeshji