Hold on a second here... Scott, You're a little off on your SSL stuff.
Everything going over SSL is encrypted, both ways. SSL operates at a network layer below TCP (hence its new name, Transport Layer Security, TLS); encryption is already built-in to the socket that is returned to the connecting or serving application. The secure connection is negotiated each connection, before any data is transfered. And for the client certificate thing: all certificates are authentication, not encryption. So a client cert will tell you that yes, you can trust that the connection is coming from the real John Smith (or whoever), and a server cert will tell you that yes, you are connecting to a real Amazon.com server (or whereever). /John ----- Original Message ----- From: "Troy Sosamon" <[EMAIL PROTECTED]> To: "Multiple recipients of list witango-talk" <[EMAIL PROTECTED]> Sent: Tuesday, July 02, 2002 2:17 PM Subject: RE: Witango-Talk: does a form submit from a http page to a https ensure secure data? > After reading all the posts, I have changed my mind from my original post, > and I agree with Scott that it would not be encrypted. You might be able to > figure out a way to get both keys generated ahead of time, but I think you > would still have problems, because I beleive jumping from one secure site to > another will generate an alert box that would popup on the users screen > notifying them of the domain change. > > Troy Sosamon > > ===== Original Message from [EMAIL PROTECTED] at 7/02/02 12:11 pm > >Hi again Lance, > > > >I believe my first response was correct, when you asked if sending from an > >HTTP form to an HTTPS page was secure. No it is not. > > > >Your second Post introduced the scenario of posting an HTTPS form from one > >Domain to a different Domain. Which I answered no to as well. > > > >So please filter your <snips> of information accordingly. > > > >Cheers.... > > > >Scott Cadillac > >http://xml-extra.net > >[EMAIL PROTECTED] > > > >http://witango.org > >[EMAIL PROTECTED] > > > >VP, Research and Development > >Plus International Corp. > >604-460-1843 > >[EMAIL PROTECTED] > >http://www.plusinternational.com > > > >Vancouver, BC, Canada > > > >Does your company have an Enterprise Information Portal? Check out Salsa at > >www.plusinternational.com/flash/salsa.htm > > > >----- Original Message ----- > >From: "Lance" <[EMAIL PROTECTED]> > >To: "Multiple recipients of list witango-talk" <[EMAIL PROTECTED]> > >Sent: Tuesday, July 02, 2002 10:23 AM > >Subject: Re: Witango-Talk: does a form submit from a http page to a https > >ensure secure data? > > > > > >> in fact... this is getting confusing, cos i get 2 different response > >> from different people. so far, i have 3 person telling me that the data > >> will be encrypted and 1 person (you know who ;) telling me otherwise. > >> > >> <@snip1> > >> > >> I beleive the answer to your question is yes, the data from the form > >would > >> be encrypted > >> > >> </@snip1> > >> > >> <@snip2> > >> Yes it will be encrypted...when the browser sends to HTTPS it must (by > >> definition) use SSL to communicate and will there for be encrypted...you > >> traffic will look like: > >> > >> C = Client > >> S = Server > >> > >> C -> S Form Request > >> S -> C Form > >> C -> S SSL Connect > >> S -> C SSL Certificate > >> C -> S SSL Form Submit > >> S -> C Form Result page > >> </@snip2> > >> > >> <@snip3> > >> > >> Your form action parameter has an absolute url specifying an https > >> protocol. When the browser submits the form, it uses the url you specify > >> which is https. So the request is going to be encrypted. You might > >> consider serving the form page from https as well to kind of tighten > >> things up a little, but the data will be posted under https which is an > >> encrypted connection. > >> > >> </@snip3> > >> > >> > >> for once, how i wish you would have said "yes, it does encrypt". ;) > >> > >> Scott Cadillac wrote: > >> > >> >Hi Lance, > >> > > >> >I think I follow what you are trying to do and no it won't work. :-] > >> > > >> >If you open an HTTPS page on Domain1 - your browser has negotiated > >> >encryption keys exclusively for just that site (based on the domain > >name). > >> >So, if you Post your form to an HTTPS page on Domain2 (a different > >domain > >> >name), then your browser won't have 'keys' for Domain2 and so the form > >data > >> >is sent un-encrypted. > >> > > >> >Remember, encryption keys for a particular domain can't be obtained > >until > >> >the first time you open an HTTPS page for that domain - only after being > >on > >> >an HTTPS page can you then send encrypted data back to that domain. > >> > > >> >Hope this helps a little. Cheers... > >> > > >> >Scott Cadillac > >> >http://xml-extra.net > >> > > >> > > >> > >> > >> ________________________________________________________________________ > >> TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] > >> with unsubscribe witango-talk in the message body > >> > > > >________________________________________________________________________ > >TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] > > with unsubscribe witango-talk in the message body > > ________________________________________________________________________ > TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] > with unsubscribe witango-talk in the message body ________________________________________________________________________ TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] with unsubscribe witango-talk in the message body
