Re: [WSG] forms and SSL

2004-08-11 Thread Chris Blown 
On Thu, 2004-08-12 at 08:55, Lindsay Evans wrote:

> I just did a quick test using Ethereal , and it
> looks like the browser requests the server's certificate, then
> encrypts the data that it is sending.
> 
> Using Firefox 0.9.3 & Internet Explorer 6.

Thanks for that.

> 
> Of course, if you're intending to put this into practice somewhere,
> I'd suggest a bit more testing :)

No I'd rather serve the whole thing via https. 

I've seen quite a few larger sites that need to consider security doing
this and though it seems a perfectly secure practise, visitors might be
reluctant entering sensitive data into their browser without the closed
little pad lock icon appearing ;)  

Cheers
Chris Blown

**
The discussion list for  http://webstandardsgroup.org/

Proud presenters of Web Essentials 04 http://we04.com/
 Web standards, accessibility, inspiration, knowledge
To be held in Sydney, September 30 and October 1, 2004

 See http://webstandardsgroup.org/mail/guidelines.cfm
 for some hints on posting to the list & getting help
**

Re: [WSG] forms and SSL

2004-08-11 Thread Lindsay Evans 
Hi Chris,

I just did a quick test using Ethereal , and it
looks like the browser requests the server's certificate, then
encrypts the data that it is sending.

Using Firefox 0.9.3 & Internet Explorer 6.

Of course, if you're intending to put this into practice somewhere,
I'd suggest a bit more testing :)

As for your next question, I don't think it's possible to send
cleartext over HTTPS at all. (mind you, I'm not the worlds greatest
authority on HTTPS, so I might be wrong :p)

On Wed, 11 Aug 2004 12:25:13 +1000, Chris Blown
<[EMAIL PROTECTED]> wrote:
> A discussion popped up here recently, and though its not really specific
> to web standards, I still think its worthy of a bit of discussion on the
> list.
> 
> If you have a form that is served via standard http with its action set
> to a https server, then one assumes that the UA will send an encrypted
> post request. Or does it?

-- 
Lindsay Evans
http://lindsayevans.com/
**
The discussion list for  http://webstandardsgroup.org/

Proud presenters of Web Essentials 04 http://we04.com/
 Web standards, accessibility, inspiration, knowledge
To be held in Sydney, September 30 and October 1, 2004

 See http://webstandardsgroup.org/mail/guidelines.cfm
 for some hints on posting to the list & getting help
**

[WSG] forms and SSL

2004-08-10 Thread Chris Blown 
A discussion popped up here recently, and though its not really specific
to web standards, I still think its worthy of a bit of discussion on the
list.

If you have a form that is served via standard http with its action set
to a https server, then one assumes that the UA will send an encrypted
post request. Or does it?

One example is www.americanexpress.com.au which happily accepts members
password from the ( http ) front page and posts to a https server.

I guess the next question is can you post a clear text request to a
https server without complaint?

Regards
Chris Blown

 



  

**
The discussion list for  http://webstandardsgroup.org/

Proud presenters of Web Essentials 04 http://we04.com/
 Web standards, accessibility, inspiration, knowledge
To be held in Sydney, September 30 and October 1, 2004

 See http://webstandardsgroup.org/mail/guidelines.cfm
 for some hints on posting to the list & getting help
**