After reading all the posts, I have changed my mind from my original post, and I agree with Scott that it would not be encrypted. You might be able to figure out a way to get both keys generated ahead of time, but I think you would still have problems, because I beleive jumping from one secure site to another will generate an alert box that would popup on the users screen notifying them of the domain change.
Troy Sosamon ===== Original Message from [EMAIL PROTECTED] at 7/02/02 12:11 pm >Hi again Lance, > >I believe my first response was correct, when you asked if sending from an >HTTP form to an HTTPS page was secure. No it is not. > >Your second Post introduced the scenario of posting an HTTPS form from one >Domain to a different Domain. Which I answered no to as well. > >So please filter your <snips> of information accordingly. > >Cheers.... > >Scott Cadillac >http://xml-extra.net >[EMAIL PROTECTED] > >http://witango.org >[EMAIL PROTECTED] > >VP, Research and Development >Plus International Corp. >604-460-1843 >[EMAIL PROTECTED] >http://www.plusinternational.com > >Vancouver, BC, Canada > >Does your company have an Enterprise Information Portal? Check out Salsa at >www.plusinternational.com/flash/salsa.htm > >----- Original Message ----- >From: "Lance" <[EMAIL PROTECTED]> >To: "Multiple recipients of list witango-talk" <[EMAIL PROTECTED]> >Sent: Tuesday, July 02, 2002 10:23 AM >Subject: Re: Witango-Talk: does a form submit from a http page to a https >ensure secure data? > > >> in fact... this is getting confusing, cos i get 2 different response >> from different people. so far, i have 3 person telling me that the data >> will be encrypted and 1 person (you know who ;) telling me otherwise. >> >> <@snip1> >> >> I beleive the answer to your question is yes, the data from the form >would >> be encrypted >> >> </@snip1> >> >> <@snip2> >> Yes it will be encrypted...when the browser sends to HTTPS it must (by >> definition) use SSL to communicate and will there for be encrypted...you >> traffic will look like: >> >> C = Client >> S = Server >> >> C -> S Form Request >> S -> C Form >> C -> S SSL Connect >> S -> C SSL Certificate >> C -> S SSL Form Submit >> S -> C Form Result page >> </@snip2> >> >> <@snip3> >> >> Your form action parameter has an absolute url specifying an https >> protocol. When the browser submits the form, it uses the url you specify >> which is https. So the request is going to be encrypted. You might >> consider serving the form page from https as well to kind of tighten >> things up a little, but the data will be posted under https which is an >> encrypted connection. >> >> </@snip3> >> >> >> for once, how i wish you would have said "yes, it does encrypt". ;) >> >> Scott Cadillac wrote: >> >> >Hi Lance, >> > >> >I think I follow what you are trying to do and no it won't work. :-] >> > >> >If you open an HTTPS page on Domain1 - your browser has negotiated >> >encryption keys exclusively for just that site (based on the domain >name). >> >So, if you Post your form to an HTTPS page on Domain2 (a different >domain >> >name), then your browser won't have 'keys' for Domain2 and so the form >data >> >is sent un-encrypted. >> > >> >Remember, encryption keys for a particular domain can't be obtained >until >> >the first time you open an HTTPS page for that domain - only after being >on >> >an HTTPS page can you then send encrypted data back to that domain. >> > >> >Hope this helps a little. Cheers... >> > >> >Scott Cadillac >> >http://xml-extra.net >> > >> > >> >> >> ________________________________________________________________________ >> TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] >> with unsubscribe witango-talk in the message body >> > >________________________________________________________________________ >TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] > with unsubscribe witango-talk in the message body ________________________________________________________________________ TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] with unsubscribe witango-talk in the message body
