...

View Full Version : SSL Question



thody
04-09-2004, 01:25 AM
I have a quick question about SSL...if the form I'm entering data on is http, and the script it's being submitted to is https...does that make it secure? Or do both the form, and the destination script have to be https?

Thanks

Nightfire
04-09-2004, 02:02 AM
Not sure, I'd put them both on the secure server just to make sure, as I think the form could be intercepted otherwise without it being encoded

black3842
04-11-2004, 11:44 AM
There is no client info in the form itself on the server, so http is fine for serving that up. The user enters data on the client side and that data doesn't get transmitted back to the server until POST. As long as you post as HTTPS, you're secure, the form needn't be served via https.

Regards,
Jason.

dniwebdesign
04-11-2004, 06:33 PM
If you don't mind be asking but is there any article that you can show to prove that. I am working on a bank website and want to add a log-in on their front page (non-secure) to log into internet banking (secure), but they are unsure about the security. This will help prove my point that it is okay, just as long as when the user clicks submit it is sent to a secure server. Thanks.

dniwebdesign
04-11-2004, 10:24 PM
If you don't mind be asking but is there any article that you can show to prove that. I am working on a bank website and want to add a log-in on their front page (non-secure) to log into internet banking (secure), but they are unsure about the security. This will help prove my point that it is okay, just as long as when the user clicks submit it is sent to a secure server. Thanks.

dniwebdesign
04-11-2004, 10:25 PM
Sorry for double posting... I still saw the form sitting here filled out so I thought I forgot to press Submit...

black3842
04-12-2004, 04:30 AM
Sorry, but I don't have an article to "prove" that. If you have a solid understanding of the http protocol this should be self evident. I worked at IBM for 3 years supporting webservers if that helps for my credibility, and I'm a principal CLP for Lotus Domino Server.

When a user visits a web page for instance www.acme.com
their browser will perform GET http://www.acme.com
The server sees this request and sends the requested data (web page)
to the browser on the client machine. The client browser (IE, Netscape, etc..) then interprets the HTML returned and displays it accordingly.

So, when your users visits the page containing your form the above will happen. The information is sent unencrypted, but that's ok, because the client hasn't yet entered any information into the form(it's just a blank form). Once the Client browser recieves the html which constitues a form, the browser displays the form on the client.

The user fills in the form (which at that point is in the memory of his local browser, not on the server). When, and only when the user clicks submit, does the information he has entered get sent to the server. This is done via the POST method of the form. Your Form Action will contain the page to which it gets posted.

So unless you feel you need to encrypt an empty form, you needn't worry about it. As long as you POST to an HTTPS page, the user never sends any sensitive information in the clear.

If, however, you are pulling information from a database and pre-populating sensitive data into the form before sending the form to the users, then you should by all means be sure to serve that form up via https.

HTTP is a client/server protocol
Client requests data(page) via GET
Server sends data to client
client displays the data it received(page) to user.
User enters information into locally downloaded page.
User clicks submit.
Client performs POST to address specified in Action
Data gets sent from client to server.
If posted via HTTPS, data is sent to server encrypted.

Hopefully that clarifies somewhat. Let me know if you still have questions.

Thanks,
Jason



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum