RE: Encrypted or Not Encrypted

[Eifrém Strinnholm Jonas <Jonas.Eifrem () sweco se>]

Encrypted.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of amatachick () gmail com
Sent: den 11 september 2008 20:25
To: security-basics () securityfocus com
Subject: Encrypted or Not Encrypted

I've run into this issue a few times now and would like to know what y'all
think. Here is the situation: A website not using SSL has a login page. As
soon as credentials are entered on this page they are redirected to a site
using SSL. Here is a specific example of the code on one such site:

<form name="loginpersonal" method="POST"
action="https://secure.sitename.com/engine/login/login.asp"; onSubmit="return
checkLoginForm(this);">

   <input type=hidden name=IsPostback value=1>



Now, from what I understand, the login credentials would still be
unencrypted while traveling to the secure site. So that would negate the
effect of having it redirect to a secure site in the first place. Right? I
keep brining up this fact but all I get back is that it's being redirected
so it's secure. I feel like I'm taking crazy pills here so I'd appreciate
some feedback. Am I wrong? If I am I can handle that, I'd just like to know.
Thanks!

Attachment: smime.p7s
Description: