micah1701 Posted February 18, 2008 Share Posted February 18, 2008 simply question about SSL that I think I already know the answer to... if the user is on the page http://domain.com/page.html and they fill out a form who's action is set to https://domain.com/process_form.php will the data they submit be encrypted? Quote Link to comment Share on other sites More sharing options...
sKunKbad Posted February 19, 2008 Share Posted February 19, 2008 no Quote Link to comment Share on other sites More sharing options...
micah1701 Posted February 19, 2008 Author Share Posted February 19, 2008 thanks for that well thought out and detailed answer I've been researching this a little bit and it seems that the data IS encrypted because the SSL "handshake" occurs before the POST data is sent. The one valid sounding objection I read was that, although the data being sent would be encrypted, because the form's action itself is not encrypted, it could be intercepted and modified to redirect the data to another location before the "handshake" takes place. So my understanding is that, in answer to my question, YES post data sent from an http page to an https processing page IS encrypted; HOWEVER, that is only true if the SSL request itself was not hi-jacked before the data is sent. Does this sound right to anyone or have I just confused myself more? Quote Link to comment Share on other sites More sharing options...
Guardian-Mage Posted February 20, 2008 Share Posted February 20, 2008 I believe you are correct. This seemed the case when I ran the tests, and everything I read would lead me to believe you are correct. Quote Link to comment Share on other sites More sharing options...
GameYin Posted February 21, 2008 Share Posted February 21, 2008 Though it may be encrypted, doesn't mean that it is 100% safe. Quote Link to comment Share on other sites More sharing options...
jazz Posted February 23, 2008 Share Posted February 23, 2008 So my understanding is that, in answer to my question, YES post data sent from an http page to an https processing page IS encrypted; HOWEVER, that is only true if the SSL request itself was not hi-jacked before the data is sent. Technically, even if it gets hijacked through man in the middle method, it will still be encrypted. The problem is it will be encrypted by the attacker. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.