POSTing from non-SSL to SSL page - still secure?

Posted on 2006-05-01
Medium Priority
Last Modified: 2011-09-20
Hi all,

I've been very concerned about a particular website that has a login page that is not SSL.
I've always assumed this type of login POSTs data in the clear (that is, you can read it clearly by parsing the HTTP stream and plucking out values of interest).  If the login page is already secure (ie "https://www.ourverylargebank.com/login.asp"), then all traffic is encrypted.

This being said.  I've found a site that does exactly this, yet they claim, that because they are POSTing to an SSL page (ie in the FORM tag:
 target="https://www.ourverylargebank.com/processlogin.asp" ), it is still SSL secure.
I disagree.  Am I wrong?  Is there something I don't know or understand about the protocols?  How could a target page retroactively encrypt  incoming POST data?

I'm doing some testing on my own to verify my beliefs that any data coming from an insecure connection (non-SSL) is always "in the clear" on its way to an SSL page.

Any more thoughts on this subject?

Question by:simplyamazing
LVL 52

Accepted Solution

Carl Tawn earned 1000 total points
ID: 16578066
The data will be encrypted. The SSL connection is established first and the the data is tunneled (securely) through that.

Assisted Solution

pauljk1619 earned 1000 total points
ID: 16578214
In order to encrypt login information, the page receiving the information has to use SSL, while the form where the user enters such information does not have to use SSL.

When the browser sees the https URL for it's postback, it should initiate a connection to the SSL port on the Web server (port 443). The browser and the server will then begin the handshake phase before sending the data.

At least that's my understanding of it.  


Author Comment

ID: 16582663
I was worried that it might send the data along with the initial handshake in the same pass where the data would sit in a receiving buffer until the connection was made - now I realize this does not make any sense and my paranoia is unfounded.  
This is something I never really considered before as I'd always, by virtue of everyone else doing it, put a login form in an SSL page.
I ran ethereal (network sniffer) and tried different tests - indeed, it is being encrypted.



Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello, all! I just recently started using Microsoft's IIS 7.5 within Windows 7, as I just downloaded and installed the 90 day trial of Windows 7. (Got to love Microsoft for allowing 90 days) The main reason for downloading and testing Windows 7 is t…
I would like to start this tip/trick by saying Thank You, to all who said that this could not be done, as it forced me to make sure that it could be accomplished. :) To start, I want to make sure everyone understands the importance of utilizing p…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Loops Section Overview
Suggested Courses
Course of the Month14 days, 2 hours left to enroll

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question