https, ssl post question

[daydreamer]

if you post any data to a https:// page then its encrypted, right?

 

for example, if this form was on http://www.siteone.com:

 

<form name="input" action="https://www.sitetwo.com/login.php"
method="post">
<input type="text" name="user">
<input type="submit" value="Submit">
</form>

 

When it is submitted, the data will be encrypted although the page with the form on wont show the pad lock because its not https:// ?

 

 

And what if you send data from https://www.sitetwo.com/login.php to http://www.siteone.com, is it encrypted even though the data flow is going the other way?

 

Thanks.

[JonnoTheDev]

All pages must use https:// protocol

[daydreamer]

How sure are you of this?

 

My interpretation is that, if a client posts something to a server on a https connection, it can only be sent via https:// because thats what the servers using.

 

So if a html form is loaded into a clients browser, with

action="https://www.sitetwo.com/login.php"

, although the page which sent the form code was in http://, when the user clicks "submit", the form will attempt to send the details via https://.

 

How could it send it unencrypted via http:// if the server isn't accepting these connections (http=port 80, https is normally 443)?

 

 

[JonnoTheDev]

You maybe right. Unsure about at what point the data gets encrypted as POST & GET requests are sent in clear text packets.

[rhodesa]

i am pretty sure you thought process is correct. as long as the page where the form is posting to is HTTPS, everything should be encrypted. but, most sites will encrypt the form page too so the user feels safer.

 

....again, not certain, but pretty sure

[PFMaBiSmAd]

As long as the form method is post, the https connection will be negotiated when the action="..." url is requested. The post data will be sent after the connection is encrypted.

[daydreamer]

ok thanks for your insight... thats how i thought it works