You can have a form that is not encrypted yet the transaction is secure?
Saturday, September 29th, 2007Things that surprise me. Simplyamazing asks a question:
I’ve been very concerned about a particular website that has a login page that is not SSL. I’ve always assumed this type of login POSTs data in the clear (that is, you can read it clearly by parsing the HTTP stream and plucking out values of interest). If the login page is already secure (ie “https://www.ourverylargebank.com/login.asp“), then all traffic is encrypted.
This being said. I’ve found a site that does exactly this, yet they claim, that because they are POSTing to an SSL page (ie in the FORM tag:
target=”https://www.ourverylargebank.com/processlo gin.asp” ), it is still SSL secure.
I disagree. Am I wrong? Is there something I don’t know or understand about the protocols? How could a target page retroactively encrypt incoming POST data?
Others on the forum say that the connection will be securely encrypted. Simplyamazing tests this and then reports:
I was worried that it might send the data along with the initial handshake in the same pass where the data would sit in a receiving buffer until the connection was made – now I realize this does not make any sense and my paranoia is unfounded.
This is something I never really considered before as I’d always, by virtue of everyone else doing it, put a login form in an SSL page.
I ran ethereal (network sniffer) and tried different tests – indeed, it is being encrypted.
I am surprised to learn that a form on a non-encrypted page is secure, so long as it posts to an encrypted page.
