From Leo's mailbag:
> From: A Computer User
> Sent: October 10, 2005
> To: Ask Leo!
> Subject: does a form need to be SSL protected?
>
> Leo,
> The answer to this question probably won't appeal to the
> masses but it's one we're debating here at our univeristy,
> and we'd appreciate your insight.
>
> A user goes to http://host/login.htm, enters personal
> information into a form, and clicks the submit button which
> sends him to https://host/process.htm. Was the personal
> information transmitted securely, or does the page containing
> the form need to be SSL protected? If it was transmitted
> securely, do you know of an RFC that documents this?
It is NOT transmitted securely. Basically the information
in the form is sent in clear text along with the request
for https://host/process.html - SSL happens when that
page responds, at which point it's too late.
You do want that form to be SSL protected.
Thanks for asking,
Leo
Article 825
| Category:
Internet
