I've been very concerned about a particular website that has a login page that is not SSL.
I've always assumed this type of login POSTs data in the clear (that is, you can read it clearly by parsing the HTTP stream and plucking out values of interest). If the login page is already secure (ie "https://www.ourverylargebank.com/login.asp
"), then all traffic is encrypted.
This being said. I've found a site that does exactly this, yet they claim, that because they are POSTing to an SSL page (ie in the FORM tag:
" ), it is still SSL secure.
I disagree. Am I wrong? Is there something I don't know or understand about the protocols? How could a target page retroactively encrypt incoming POST data?
I'm doing some testing on my own to verify my beliefs that any data coming from an insecure connection (non-SSL) is always "in the clear" on its way to an SSL page.
Any more thoughts on this subject?