Repost: I am by no means an authority on SSL. But my customer and I did conduct our own 'secure logon' testing with a packet sniffer and could easily 'see' what encrypted and un-encrypted data was being sent and under our own controlled conditions. I am merely offering some advice and information based on my experience.
Regardless of what anybody recommends to you (including me), I urge you to conduct your own security tests for your own piece of mind. ----- Original Message ----- From: "John McGowan" <[EMAIL PROTECTED]> To: "Multiple recipients of list witango-talk" <[EMAIL PROTECTED]> Sent: Tuesday, July 02, 2002 12:35 PM Subject: Re: Witango-Talk: does a form submit from a http page to a https ensure secure data? > Hold on a second here... > > Scott, You're a little off on your SSL stuff. > > Everything going over SSL is encrypted, both ways. SSL operates at a > network layer below TCP (hence its new name, Transport Layer Security, TLS); > encryption is already built-in to the socket that is returned to the > connecting or serving application. The secure connection is negotiated each > connection, before any data is transfered. > > And for the client certificate thing: all certificates are authentication, > not encryption. So a client cert will tell you that yes, you can trust that > the connection is coming from the real John Smith (or whoever), and a server > cert will tell you that yes, you are connecting to a real Amazon.com server > (or whereever). > > /John > > > ----- Original Message ----- > From: "Troy Sosamon" <[EMAIL PROTECTED]> > To: "Multiple recipients of list witango-talk" <[EMAIL PROTECTED]> > Sent: Tuesday, July 02, 2002 2:17 PM > Subject: RE: Witango-Talk: does a form submit from a http page to a https > ensure secure data? > > > > After reading all the posts, I have changed my mind from my original post, > > and I agree with Scott that it would not be encrypted. You might be able > to > > figure out a way to get both keys generated ahead of time, but I think you > > would still have problems, because I beleive jumping from one secure site > to > > another will generate an alert box that would popup on the users screen > > notifying them of the domain change. > > > > Troy Sosamon > > > > ===== Original Message from [EMAIL PROTECTED] at 7/02/02 12:11 pm > > >Hi again Lance, > > > > > >I believe my first response was correct, when you asked if sending from > an > > >HTTP form to an HTTPS page was secure. No it is not. > > > > > >Your second Post introduced the scenario of posting an HTTPS form from > one > > >Domain to a different Domain. Which I answered no to as well. > > > > > >So please filter your <snips> of information accordingly. > > > > > >Cheers.... > > > > > >Scott Cadillac > > >http://xml-extra.net > > >[EMAIL PROTECTED] > > > > > >http://witango.org > > >[EMAIL PROTECTED] > > > > > >VP, Research and Development > > >Plus International Corp. > > >604-460-1843 > > >[EMAIL PROTECTED] > > >http://www.plusinternational.com > > > > > >Vancouver, BC, Canada > > > > > >Does your company have an Enterprise Information Portal? Check out Salsa > at > > >www.plusinternational.com/flash/salsa.htm > > > > > >----- Original Message ----- > > >From: "Lance" <[EMAIL PROTECTED]> > > >To: "Multiple recipients of list witango-talk" <[EMAIL PROTECTED]> > > >Sent: Tuesday, July 02, 2002 10:23 AM > > >Subject: Re: Witango-Talk: does a form submit from a http page to a https > > >ensure secure data? > > > > > > > > >> in fact... this is getting confusing, cos i get 2 different response > > >> from different people. so far, i have 3 person telling me that the data > > >> will be encrypted and 1 person (you know who ;) telling me otherwise. > > >> > > >> <@snip1> > > >> > > >> I beleive the answer to your question is yes, the data from the form > > >would > > >> be encrypted > > >> > > >> </@snip1> > > >> > > >> <@snip2> > > >> Yes it will be encrypted...when the browser sends to HTTPS it must (by > > >> definition) use SSL to communicate and will there for be > encrypted...you > > >> traffic will look like: > > >> > > >> C = Client > > >> S = Server > > >> > > >> C -> S Form Request > > >> S -> C Form > > >> C -> S SSL Connect > > >> S -> C SSL Certificate > > >> C -> S SSL Form Submit > > >> S -> C Form Result page > > >> </@snip2> > > >> > > >> <@snip3> > > >> > > >> Your form action parameter has an absolute url specifying an https > > >> protocol. When the browser submits the form, it uses the url you > specify > > >> which is https. So the request is going to be encrypted. You might > > >> consider serving the form page from https as well to kind of tighten > > >> things up a little, but the data will be posted under https which is an > > >> encrypted connection. > > >> > > >> </@snip3> > > >> > > >> > > >> for once, how i wish you would have said "yes, it does encrypt". ;) > > >> > > >> Scott Cadillac wrote: > > >> > > >> >Hi Lance, > > >> > > > >> >I think I follow what you are trying to do and no it won't work. :-] > > >> > > > >> >If you open an HTTPS page on Domain1 - your browser has negotiated > > >> >encryption keys exclusively for just that site (based on the domain > > >name). > > >> >So, if you Post your form to an HTTPS page on Domain2 (a different > > >domain > > >> >name), then your browser won't have 'keys' for Domain2 and so the form > > >data > > >> >is sent un-encrypted. > > >> > > > >> >Remember, encryption keys for a particular domain can't be obtained > > >until > > >> >the first time you open an HTTPS page for that domain - only after > being > > >on > > >> >an HTTPS page can you then send encrypted data back to that domain. > > >> > > > >> >Hope this helps a little. Cheers... > > >> > > > >> >Scott Cadillac > > >> >http://xml-extra.net > > >> > > > >> > > > >> > > >> > > >> > ________________________________________________________________________ > > >> TO UNSUBSCRIBE: send a plain text/US ASCII email to > [EMAIL PROTECTED] > > >> with unsubscribe witango-talk in the message body > > >> > > > > > >________________________________________________________________________ > > >TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] > > > with unsubscribe witango-talk in the message body > > > > ________________________________________________________________________ > > TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] > > with unsubscribe witango-talk in the message body > > ________________________________________________________________________ > TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] > with unsubscribe witango-talk in the message body > ________________________________________________________________________ TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] with unsubscribe witango-talk in the message body
