Just to be clear, My understanding has been that you don't need to secure the form from a security point of view. You need to secure it from a user confidence point of view.
Regardless of whether the form is encrypted or not, as long as the action page uses SSL no-one can snoop on the data being sent across the wire. The only other compelling reason I can think of to use SSL for the form page is because you then know that a secure session can be established before you try to send any sensitive data across the wire. I don't know enough about it, but I'd expect that if the browser couldn't establish as secure connection to the server it would not attempt to send anything. That's relying on the implementation of the web browser though which might not be the best thing. Spike >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of >G A R Y C R O U C H [ A I T ] >Sent: Tuesday, April 20, 2004 2:51 PM >To: CFAussie Mailing List >Subject: [cfaussie] Re: [OT] SSL > >OK, having writen an paper last year on SSL or we should be >calling it by its new name TLS (Transport Layer Security). I >can comment with some confidence on this. > >Taco; You are correct. ill explain why. > >When the user submits the page with the form the first thing >that happens down inside the TCP/IP stack (in the TRANSPORT >layer for thoughts that want to know) SSL/TLS is turned on, >this is when the client and host computers are hand-shaking, >before the HTTP packet has been sent ove the connection. >after the SSL / TLS connection has been made the HTTP packet >will be delivered using the secured connection. just as the >same as doing a <chhttp> to a https:// connection with post-form data. > >Point is we always secure the form as well to give the user >confidence that the information is over a secure connection. > >Hope this is understandable. > >----- Original Message ----- >From: "Taco Fleur" <[EMAIL PROTECTED]> >To: "CFAussie Mailing List" <[EMAIL PROTECTED]> >Sent: Wednesday, April 21, 2004 8:04 AM >Subject: [cfaussie] Re: [OT] SSL > > >That's what I thought, but I have several people telling me >otherwise, can you really confirm this? i.e. are you certain? > >Cheers. > >-----Original Message----- >From: Gary Menzel [mailto:[EMAIL PROTECTED] >Sent: Wednesday, 21 April 2004 8:02 AM >To: CFAussie Mailing List >Subject: [cfaussie] Re: [OT] SSL > > >> I could be totally wrong here, but I was under the >impression that for >> a >form to be secure it had to be posted from within SSL, >> but I have been hearing that I am wrong, and that even if its posted >from outside SSL to SSL the connection is secure. Could >> someone confirm one or the other? > >It is my understanding that the form itself MUST be already in >SSL for the process to be secure. > >Again, the story goes that it is that both the pages involved >must be under SSL. > > >Gary Menzel >Web Development Manager >IT Operations Brisbane -+- ABN AMRO Morgans Limited Level 29, >123 Eagle Street BRISBANE QLD 4000 >PH: 07 333 44 828 FX: 07 3834 0828 > > > >To unsubscribe from this email please forward this email to: >[EMAIL PROTECTED] > >If this communication is not intended for you and you are not >an authorised recipient of this email you are prohibited by >law from dealing with or relying on the email or any file >attachments. This prohibition includes reading, printing, >copying, re-transmitting, disseminating, storing or in any >other way dealing or acting in reliance on the information. >If you have received this email in error, we request you >contact ABN AMRO Morgans Limited immediately by returning the >email to [EMAIL PROTECTED] and destroy the original. >We will refund any reasonable costs associated with notifying >ABN AMRO Morgans. This email is confidential and may contain >privileged client information. ABN AMRO Morgans has taken >reasonable steps to ensure the accuracy and integrity of all >its communications, including electronic communications, but >accepts no liability for materials transmitted. Materials may >also be transmitted without the knowledge of ABN AMRO Morgans. > ABN AMRO Morgans Limited its directors and employees do not >accept liability for the results of any actions taken or not >on the basis of the information in this report. ABN AMRO >Morgans Limited and its associates hold or may hold securities >in the companies/trusts mentioned herein. Any recommendation >is made on the basis of our research of the investment and may >not suit the specific requirements of clients. Assessments of >suitability to an individual?s portfolio can only be made >after an examination of the particular client?s investments, >financial circumstances and requirements. >ABN AMRO Morgans Limited (ABN 49 010 669 726 AFSL 235410) A >Participant of ASX Group > > >--- >You are currently subscribed to cfaussie as: >[EMAIL PROTECTED] To unsubscribe send a blank email to >[EMAIL PROTECTED] > >MXDU2004 + Macromedia DevCon AsiaPac + Sydney, Australia >http://www.mxdu.com/ + 24-25 February, 2004 > >--- >You are currently subscribed to cfaussie as: [EMAIL PROTECTED] To >unsubscribe send a blank email to >[EMAIL PROTECTED] > >MXDU2004 + Macromedia DevCon AsiaPac + Sydney, Australia >http://www.mxdu.com/ + 24-25 February, 2004 > > > >--- >You are currently subscribed to cfaussie as: >[EMAIL PROTECTED] To unsubscribe send a blank email to >[EMAIL PROTECTED] > >MXDU2004 + Macromedia DevCon AsiaPac + Sydney, Australia >http://www.mxdu.com/ + 24-25 February, 2004 --- You are currently subscribed to cfaussie as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] MXDU2004 + Macromedia DevCon AsiaPac + Sydney, Australia http://www.mxdu.com/ + 24-25 February, 2004
