Our website has a login form that shows up in the header on every page on the website. This is what my boss wants however we need to get PCI compliant and it says any sensitive form (login/password) requires SSL. So does that mean the entire website has to be running under SSL while a user is not logged in?
Another question related to that, we have third party security software scanning and testing our site and it sends HTTP post to the login form on all the pages and reports it is unsecured because it submit's it under HTTP. I am wondering how a company like say Godaddy does it because they have a login/password on their homepage yet I can access it via HTTP and submit my login information just fine. By that logic they are not secure because it allows me to do that right? I feel like I am missing something but not sure what.
-EDIT-
Some information that came from the security site:
Description
A vulnerability exists that allows an attacker to harvest sensitive information (login credentials, etc) that are thought to be SSLsecured.
Specifically, a form was found on an HTTP (unencrypted) page that sends information to an HTTPS (encrypted) page. An attacker
could leverage cache poisoning (DNS/DHCP/ARP/etc) or another vulnerability (e.g. XSS) to cause the HTTP page to send
information to an attacker-controlled website instead of the legitimate HTTPS site.
Furthermore, toolkits exist to automate the process of harvesting such credentials, connecting to the legitimate HTTPS site and
establishing the attacker as a transparent proxy between the victim and the legitimate host where the attacker sees all
information in cleartext (including login credentials, etc).
Victim<———HTTP———>Attacker<———HTTPS———>Legitimate Site
CVSS Score
2.1
Solution
Do not allow any information you want SSL secured to originate from an unsecured page.
Best Answer
Technically, only the target of the form needs to be a SSL protected page for the submission to be encrypted. I saw this done at a previous job where we had a login form in the header.
HOWEVER
By doing this you are losing the clarity that we've been telling users to look for. Users are instructed to look to the URL bar to see if the website is using an encrypted connection for their information. By having the page not delivered via SSL, users may mistakenly believe that their form (username and password) isn't encrypted either.
Furthermore, as pointed out by Craig below, if the page you're submitting from isn't encrypted, you cannot assert that the page has not been intercepted and altered. That familiar form that you know has always submitted to a HTTPS url may have been intercepted and altered before it was rendered.
Your best bet is to just offer SSL on all pages if you insist on having the login form in the header. SSL is relatively cheap to implement as far as server resources, and it gives your users the extra security they deserve.