Hi Lance, I think I follow what you are trying to do and no it won't work. :-]
If you open an HTTPS page on Domain1 - your browser has negotiated encryption keys exclusively for just that site (based on the domain name). So, if you Post your form to an HTTPS page on Domain2 (a different domain name), then your browser won't have 'keys' for Domain2 and so the form data is sent un-encrypted. Remember, encryption keys for a particular domain can't be obtained until the first time you open an HTTPS page for that domain - only after being on an HTTPS page can you then send encrypted data back to that domain. Hope this helps a little. Cheers... Scott Cadillac http://xml-extra.net [EMAIL PROTECTED] http://witango.org [EMAIL PROTECTED] VP, Research and Development Plus International Corp. 604-460-1843 [EMAIL PROTECTED] http://www.plusinternational.com Vancouver, BC, Canada Does your company have an Enterprise Information Portal? Check out Salsa at www.plusinternational.com/flash/salsa.htm ----- Original Message ----- From: "Lance" <[EMAIL PROTECTED]> To: "Multiple recipients of list witango-talk" <[EMAIL PROTECTED]> Sent: Tuesday, July 02, 2002 8:44 AM Subject: Re: Witango-Talk: does a form submit from a http page to a https ensure secure data? > i see. but what if the scenario is such that domain 1 has its ssl cert. > and the form will be posted to domain 2. which also has its own ssl > cert. in this case, the encryption on the form data will be based on > domain 1's ssl cert? or domain 2's ssl cert? if it's domain 1's ssl > cert, then wouldn't domain 2 be rejecting the data? cos afterall, the > data are been encrypted in domain 1's public key and not domain 2's? > > hope thats not confusing. > > lance > > Scott Cadillac wrote: > > >Hi Lance, > > > >The answer is no, your Post data is not encrypted yet. > > > >In order for your Post data to be encrypted when sending to the Server (for > >example, a Logon form), you must first be on a HTTPS page - before Posting > >to a HTTPS page. > > > >The reason for this is because, it is only during the first visit to an > >HTTPS page, that your encryption keys are negotiated. Therefore that first > >Post is not yet encrypted, but each Post after the first page is. > > > >Note: Most types of SSL encryption only applies to form POST methods not > >GET methods. > > > >Also note that only your data from the browser (Client) to the Server is > >the part that is encrypted. Output from the Server to the browser is not > >encrypted, so even thought you are running SSL, it is still good practice > >to not display passwords or Credit Card numbers on your web-pages. The way > >I understand it, if you want to encrypt your HTML data from the Server to > >the Client, then you have to get your users to install a special type of > >Client SSL Certificate on their workstation, with a personalized encryption > >key. > > > >One of the first customers we ever had for the Witango work we do, wanted > >to run everything in SSL mode. And the Network Administrator was very good > >at his job and set up a Packet Sniffer on his network to test the > >encryption for Logons and you could easily see that the Post data was not > >encrypted until after the first visit to an HTTPS page. > > > >The logic I use for our Logon screens is to detect if the user has opened a > >HTTP page first - and if so, then only show a button to 'Open Secure > >Logon'. When they click this button, then they are redirected to an HTTPS > >page before they can logon. > > > >Example: http://www.plusinternational.com (bottom-left-corner). > > > >Hope this helps. Cheers... > > > >Scott Cadillac > >http://xml-extra.net > >[EMAIL PROTECTED] > > > >http://witango.org > >[EMAIL PROTECTED] > > > >VP, Research and Development > >Plus International Corp. > >604-460-1843 > >[EMAIL PROTECTED] > >http://www.plusinternational.com > > > >Vancouver, BC, Canada > > > >Does your company have an Enterprise Information Portal? Check out Salsa at > >www.plusinternational.com/flash/salsa.htm > > > >----- Original Message ----- > >From: "Lance" <[EMAIL PROTECTED]> > >To: "Multiple recipients of list witango-talk" <[EMAIL PROTECTED]> > >Sent: Tuesday, July 02, 2002 3:40 AM > >Subject: Witango-Talk: does a form submit from a http page to a https > >ensure secure data? > > > > > > > > > >>hi, > >> > >>the above question has been puzzling me for a while. the situation is > >> > >> > >this. > > > > > >>http://domainname.com/register.taf > >>display a user registration form having > >>[form action="https://domainname.com/register.taf"; method="post"] > >> > >>will the data from that page be encrypted when it is sent via https > >>specified in the [form] action? > >> > >>note: the registration form is served from http. > >> > >>could someone enlighten me on this? > >> > >>regards, > >>lance > >> > >>________________________________________________________________________ > >>TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] > >> with unsubscribe witango-talk in the message body > >> > >> > >> > >> > > > >________________________________________________________________________ > >TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] > > with unsubscribe witango-talk in the message body > > > > > > > > > > ________________________________________________________________________ TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] with unsubscribe witango-talk in the message body
