Re: Encrypted or Not Encrypted

["Gregory Rubin" <grrubin () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is correct.  The entire connection between the browser and the
receiving server is encrypted.  At no point is any of the information
in the example form exposed.

HOWEVER, having a form that submits to HTTPS be displayed on an HTTP
site is an extremely bad practice because none of the protections
granted by https are on the form's page.  This means that an attacker
can:
* Modify the form so that it submits over http
* Modify the form so that it submits directly to the attacker
* Insert javascript into the page that sniffs out the user-name and
password (prior to form submission) and sends them to the attacker
* DNS Hijack the client and cause them to view an entirely attacker
controlled page (but at the same URL).
(Also, there is no way for the user to know that the form submits over
https without looking at the source.)

Https on the form's page will protect against all of these attacks and
is why so many of the major sites require the form to be displayed on
an HTTPS page (and instruct their users to never enter their
credentials on an http site).

Greg

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: http://getfiregpg.org

iD8DBQFIyqHX5KDU23nQpRcRAhr0AJ450yzA9XcA35hxIAaYDh6BTLM6mQCg+us3
Jlh/xszj7iWzzIjzMNNnOVc=
=zZFk
-----END PGP SIGNATURE-----

On Fri, Sep 12, 2008 at 12:28 AM, Roman Fulop <ml () ensof1 trithem sk> wrote:
> Hi,
> AFAIK, the SSL handshake occurs before sending HTTP request.