POSTing from non-SSL to SSL page - still secure?

Posted on 2006-05-01
Last Modified: 2011-09-20
Hi all,

I've been very concerned about a particular website that has a login page that is not SSL.
I've always assumed this type of login POSTs data in the clear (that is, you can read it clearly by parsing the HTTP stream and plucking out values of interest).  If the login page is already secure (ie ""), then all traffic is encrypted.

This being said.  I've found a site that does exactly this, yet they claim, that because they are POSTing to an SSL page (ie in the FORM tag:
 target="" ), it is still SSL secure.
I disagree.  Am I wrong?  Is there something I don't know or understand about the protocols?  How could a target page retroactively encrypt  incoming POST data?

I'm doing some testing on my own to verify my beliefs that any data coming from an insecure connection (non-SSL) is always "in the clear" on its way to an SSL page.

Any more thoughts on this subject?

Question by:simplyamazing
    LVL 52

    Accepted Solution

    The data will be encrypted. The SSL connection is established first and the the data is tunneled (securely) through that.
    LVL 7

    Assisted Solution

    In order to encrypt login information, the page receiving the information has to use SSL, while the form where the user enters such information does not have to use SSL.

    When the browser sees the https URL for it's postback, it should initiate a connection to the SSL port on the Web server (port 443). The browser and the server will then begin the handshake phase before sending the data.

    At least that's my understanding of it.  


    Author Comment

    I was worried that it might send the data along with the initial handshake in the same pass where the data would sit in a receiving buffer until the connection was made - now I realize this does not make any sense and my paranoia is unfounded.  
    This is something I never really considered before as I'd always, by virtue of everyone else doing it, put a login form in an SSL page.
    I ran ethereal (network sniffer) and tried different tests - indeed, it is being encrypted.



    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    Hello, all! I just recently started using Microsoft's IIS 7.5 within Windows 7, as I just downloaded and installed the 90 day trial of Windows 7. (Got to love Microsoft for allowing 90 days) The main reason for downloading and testing Windows 7 is t…
    This demonstration started out as a follow up to some recently posted questions on the subject of logging in: and…
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now