Hi Lance, The answer is no, your Post data is not encrypted yet.
In order for your Post data to be encrypted when sending to the Server (for example, a Logon form), you must first be on a HTTPS page - before Posting to a HTTPS page. The reason for this is because, it is only during the first visit to an HTTPS page, that your encryption keys are negotiated. Therefore that first Post is not yet encrypted, but each Post after the first page is. Note: Most types of SSL encryption only applies to form POST methods not GET methods. Also note that only your data from the browser (Client) to the Server is the part that is encrypted. Output from the Server to the browser is not encrypted, so even thought you are running SSL, it is still good practice to not display passwords or Credit Card numbers on your web-pages. The way I understand it, if you want to encrypt your HTML data from the Server to the Client, then you have to get your users to install a special type of Client SSL Certificate on their workstation, with a personalized encryption key. One of the first customers we ever had for the Witango work we do, wanted to run everything in SSL mode. And the Network Administrator was very good at his job and set up a Packet Sniffer on his network to test the encryption for Logons and you could easily see that the Post data was not encrypted until after the first visit to an HTTPS page. The logic I use for our Logon screens is to detect if the user has opened a HTTP page first - and if so, then only show a button to 'Open Secure Logon'. When they click this button, then they are redirected to an HTTPS page before they can logon. Example: http://www.plusinternational.com (bottom-left-corner). Hope this helps. Cheers... Scott Cadillac http://xml-extra.net [EMAIL PROTECTED] http://witango.org [EMAIL PROTECTED] VP, Research and Development Plus International Corp. 604-460-1843 [EMAIL PROTECTED] http://www.plusinternational.com Vancouver, BC, Canada Does your company have an Enterprise Information Portal? Check out Salsa at www.plusinternational.com/flash/salsa.htm ----- Original Message ----- From: "Lance" <[EMAIL PROTECTED]> To: "Multiple recipients of list witango-talk" <[EMAIL PROTECTED]> Sent: Tuesday, July 02, 2002 3:40 AM Subject: Witango-Talk: does a form submit from a http page to a https ensure secure data? > hi, > > the above question has been puzzling me for a while. the situation is this. > > http://domainname.com/register.taf > display a user registration form having > [form action="https://domainname.com/register.taf"; method="post"] > > will the data from that page be encrypted when it is sent via https > specified in the [form] action? > > note: the registration form is served from http. > > could someone enlighten me on this? > > regards, > lance > > ________________________________________________________________________ > TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] > with unsubscribe witango-talk in the message body > > ________________________________________________________________________ TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] with unsubscribe witango-talk in the message body
