Results 1 to 12 of 12

Thread: Difference

  1. #1
    Expert Member
    Join Date
    May 2007
    Answers
    146

    Difference

    What is the diff. between Http and HTTPS. secure and unsecure testing in wab based application.


  2. #2
    Moderator
    Join Date
    Sep 2006
    Answers
    920

    Re: Difference

    HTTP and HTTPS are protocols.

    YOu are talking about protocol testing, or web application access using HTTPS, the test case are same as for http access, just you have to made more securitytest cases related to https access.

    Regards,
    Brijesh Jain
    ---------------------------------------------------------
    Connect with me on Skype: jainbrijesh
    Google Plus : jainbrijeshji

  3. #3

    Re: Difference

    HTTP and HTTPS are protocols, used for transferring data through Web of which HTTPS is a secured service used mainly in Intranet applications and in the application which requires a very secured access such as application used for Internet banking, online shopping etc.,. HTTPs is used mostly in the Dynamic data.

    Mostly the test cases for both will be same, but HTTPS requires more test cases which tests its security. Some of the extra test cases which you will be executing for HTTPS web pages are

    - the application is not accessible if left alone for some period of time
    - Only the users from the privileged group can login to the application
    - Should ask for a password change once in a month
    - should get locked if the wrong password is entered for more than three times
    - For Intranet applications should be accessible only within the network
    - All the information stored should be secured.

    Regards,
    Ganesan


  4. #4
    Moderator
    Join Date
    Sep 2006
    Answers
    920

    Re: Difference

    Quote Originally Posted by sridharrganesan View Post
    HTTP and HTTPS are protocols, used for transferring data through Web of which HTTPS is a secured service used mainly in Intranet applications and in the application which requires a very secured access such as application used for Internet banking, online shopping etc.,. HTTPs is used mostly in the Dynamic data.

    Mostly the test cases for both will be same, but HTTPS requires more test cases which tests its security. Some of the extra test cases which you will be executing for HTTPS web pages are

    - the application is not accessible if left alone for some period of time
    - Only the users from the privileged group can login to the application
    - Should ask for a password change once in a month
    - should get locked if the wrong password is entered for more than three times
    - For Intranet applications should be accessible only within the network
    - All the information stored should be secured.


    Regards,
    Ganesan
    Hi ganesan,

    I use gmail using https only, but the test cases you have written here, all fail in my scenario, it means, gmail https is not correct or the test case, where is the problem?

    Regards,
    Brijesh Jain
    ---------------------------------------------------------
    Connect with me on Skype: jainbrijesh
    Google Plus : jainbrijeshji

  5. #5

    Re: Difference

    Hi Brijesh,

    The test cases I have mentioned will be followed in most of the web pages using HTTPS. I think you can the below test cases in gmail also. Also I dont know what are the security factors they are looking for gmail.

    - Only the users from the privileged group can login to the application, which means the user who have the account created can only login. But this is common in HTTP site also.
    - should get locked if the wrong password is entered for more than certain number of times.

    Ganesan


  6. #6
    Moderator
    Join Date
    Sep 2006
    Answers
    920

    Re: Difference

    Quote Originally Posted by sridharrganesan View Post
    Hi Brijesh,

    The test cases I have mentioned will be followed in most of the web pages using HTTPS. I think you can the below test cases in gmail also. Also I dont know what are the security factors they are looking for gmail.

    - Only the users from the privileged group can login to the application, which means the user who have the account created can only login. But this is common in HTTP site also.
    - should get locked if the wrong password is entered for more than certain number of times.

    Ganesan
    What I can say about it is, it totally depend on SRS how we will handle the security issuse, You know our site geekinterview.com also give only 5 chance to login and then locked the user.But it's not using https, what you say?

    Regards,
    Brijesh Jain
    ---------------------------------------------------------
    Connect with me on Skype: jainbrijesh
    Google Plus : jainbrijeshji

  7. #7
    Expert Member
    Join Date
    Oct 2007
    Answers
    375

    Re: Difference

    Hey People,

    It is true that security perspective of a site with regards to the number of Login attempts would not be decided by https or http protocols. It is more or less dependant on the security level as designed by the Dev team.

    Https would actually pertain to these points. I picked a few from Sridhar

    • Session Timeout - Application Idle.
    • Accessing the application outside a Secure network.
    • Accessing the same site with http within the Intranet network.
    • Secure methods of Information transferring meaning Should not use the GET method as part of URL. It should use the Secure Socket Layer encryption.
    • Testing whether Data interruption is possible in transit - use Man in the Middle Attacks, Eavesdropping etc.


    Cheers...


  8. #8

    Re: Difference

    Hi Brijesh,

    Yes, you are correct. The number of login attempt is based on the SRS, not specific for http or https. Also, Umesh had included some more points regarding the difference.

    Regards,
    Ganesan


  9. #9
    Moderator
    Join Date
    Sep 2006
    Answers
    920

    Re: Difference

    Quote Originally Posted by bizzzzzare View Post
    Hey People,

    It is true that security perspective of a site with regards to the number of Login attempts would not be decided by https or http protocols. It is more or less dependant on the security level as designed by the Dev team.

    Https would actually pertain to these points. I picked a few from Sridhar

    • Session Timeout - Application Idle.
    • Accessing the application outside a Secure network.
    • Accessing the same site with http within the Intranet network.
    • Secure methods of Information transferring meaning Should not use the GET method as part of URL. It should use the Secure Socket Layer encryption.
    • Testing whether Data interruption is possible in transit - use Man in the Middle Attacks, Eavesdropping etc.


    Cheers...

    Don't mind friends,

    But i am not still satisfied with your answers.

    1) As you told about time out, it's again depend on SRS, What session time you have set for application.Our geek site also get session timeout if left idle for some time.

    2) definately https is a secure network, so no comment.

    3) Use use the "get' method or "set" method, it's on development.

    Let do more brainstroming on this question, what you say?

    Regards,
    Brijesh Jain
    ---------------------------------------------------------
    Connect with me on Skype: jainbrijesh
    Google Plus : jainbrijeshji

  10. #10

    Re: Difference

    Hi Brijesh,

    Our Geek site will be session time out if we left idle for some time but it only log out the member but the page will be available. But if you look into the secured site such as net banking if you refresh the page after some time left idle it will display the error page.

    Definitely, we can discuss and brainstrom on this regard.

    Regards,
    Ganesan


  11. #11
    Expert Member
    Join Date
    Oct 2007
    Answers
    375

    Re: Difference

    Hey Brijesh,

    Defintely a nice idea to have a brainstorm and come to a very appropriate conclusion on testing https and http applications.

    One small thing I would like to clarify -

    Use use the "get' method or "set" method, it's on development
    .

    Incase we are trying to test a Https site, the use of Get method would classify as a defect coz it would then enable eavesdropping. Prevention of Eavesdropping is a primary reason we opt for Https site.

    So we can definitely include it as part of our testcase to ensure that only Secure Socket Layer methodology of data submission is used.

    Cheers.....


  12. #12
    Moderator
    Join Date
    Sep 2006
    Answers
    920

    Re: Difference

    Quote Originally Posted by sridharrganesan View Post
    Hi Brijesh,

    Our Geek site will be session time out if we left idle for some time but it only log out the member but the page will be available. But if you look into the secured site such as net banking if you refresh the page after some time left idle it will display the error page.

    Definitely, we can discuss and brainstrom on this regard.

    Regards,
    Ganesan
    yes, you will get the error the message and the reason for that if user is going to leave secure connection, and this is the exact we should test when testing https, it is the protocol functionality not of the application.

    Regards,
    Brijesh Jain
    ---------------------------------------------------------
    Connect with me on Skype: jainbrijesh
    Google Plus : jainbrijeshji

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
About us
Applying for a job can be a stressful and frustrating experience, especially for someone who has never done it before. Considering that you are competing for the position with a at least a dozen other applicants, it is imperative that you thoroughly prepare for the job interview, in order to stand a good chance of getting hired. That's where GeekInterview can help.
Interact