The SSL/TLS handshake will occur before the HTTP POST occurs. So your form data will be sent encrypted.
However, as noted by Joseph, the username/password is just one part of the whole security system. Session identifiers (e.g. cookies) also need to be protected, otherwise the application is vulnerable to session hijacking. Cheers Ken From: [email protected] [mailto:[email protected]] On Behalf Of Brett Holden Sent: Thursday, 3 May 2012 9:04 AM To: ozDotNet Subject: Re: [OT] Secure page? The http page just has this <html> <head></head> <body> <form action="https://secure.company.com.au:8090/login.php"; method="post"> <input type="hidden" name="verb" value="go"> <b>Client Login</b><br><br> Username<br> <input type="text" name="username" size="15"><br><br> Password<br> <input type="password" name="pass" size="15"><br><br> <input type="submit" name="submit" value="Login"> </form> </body> </html> On Thu, May 3, 2012 at 10:59 AM, Joseph Clark <[email protected]<mailto:[email protected]>> wrote: It really depends what the page does. You could try installer a web debugger like Fiddler<http://fiddler2.com> or Charles<http://www.charlesproxy.com/> (or look at the network tab in Firebug or the Chrome inspector) to see exactly where the page transmits your information to. Even if the username and password are transmitted securely, presumably there is some kind of ongoing session identifier being sent to & from your browser and the non-secure endpoint, in which case you may still be vulnerable to session hijacking. On Thu, May 3, 2012 at 10:39 AM, Brett Holden <[email protected]<mailto:[email protected]>> wrote: Is it safe to enter a password on a web page that is just http? I've stumbled across a http page asking for my username and password. The page itself is http but has a form posting to a https PHP page. I would think the password gets sent in clear text but wanted to be sure. Cheers Brett
