Re: Encrypted or Not Encrypted

[Roman Fulop <ml () ensof1 trithem sk>]

Browser will behave just like if you entered the secure url into address
bar manually. The only difference is, that the request contains POST
payload. If the site certificate is incorrect, browser will warn user
before sending http request.

R.

Rob Wilcox wrote:
> Yes, so the clients browser takes care of the SSL business on submit,
> riddle me this:
> So there is some certificate exchange that occurs w/o user interaction
> on submit of the login form, does the user ever get to inspect the
> certificate?  I would like to assume that a mismatch would generate the
> normal error dialog alerting the user to possible MIM?
>
> -Rob
>
> On Wed, Sep 17, 2008 at 1:06 PM, Roman Fulop <ml () ensof1 trithem sk
> <mailto:ml () ensof1 trithem sk>> wrote:
>
>     I totally don't understand this. Setting up a test page, firing up
>     wireshark and testing it all took me about 3 minutes. Instead of reading
>     rfcs, which evidently did not help you to get a correct answer.
>
>     What happens:
>
>     Client software renders the form. User enters the password and clicks
>     submit. Client looks at the action parameter of the form element and
>     eventually translates hostname to ip address. The action parameter also
>     contains schema, which in this case would be https://, so it assumes
>     target port would be 443. Then it initiates connection to target:443,
>     tcp 3-way handshake and after establishing the tcp connection, according
>     to schema, it initiates ssl handshake. To this point, no http traffic
>     was sent! - only after ssl is set up.
>
>
>     R.
>
>     Douglas C. Duckworth wrote: