posting data to https from http

[micah1701]

simply question about SSL that I think I already know the answer to...

 

if the user is on the page http://domain.com/page.html

 

and they fill out a form who's action is set to https://domain.com/process_form.php

 

will the data they submit be encrypted?

[sKunKbad]

no

[micah1701]

thanks for that well thought out and detailed answer 

 

I've been researching this a little bit and it seems that the data IS encrypted because the SSL "handshake" occurs before the POST data is sent.

 

The one valid sounding objection I read was that, although the data being sent would be encrypted, because the form's action itself is not encrypted, it could be intercepted and modified to redirect the data to another location before the "handshake" takes place.

 

So my understanding is that, in answer to my question, YES post data sent from an http page to an https processing page IS encrypted; HOWEVER, that is only true if the SSL request itself was not hi-jacked before the data is sent.

 

Does this sound right to anyone or have I just confused myself more?

[Guardian-Mage]

I believe you are correct. This seemed the case when I ran the tests, and everything I read would lead me to believe you are correct.

[GameYin]

Though it may be encrypted, doesn't mean that it is 100% safe.

[jazz]

So my understanding is that, in answer to my question, YES post data sent from an http page to an https processing page IS encrypted; HOWEVER, that is only true if the SSL request itself was not hi-jacked before the data is sent.

 

Technically, even if it gets hijacked through man in the middle method, it will still be encrypted. The problem is it will be encrypted by the attacker.