From: Sara Golemon (saramg@uclink.berkeley.edu)
Date: Mon Dec 16 2002 - 17:44:47 PST
So long as the action page is to an HTTPS server, the data will go
encrypted. I generally discourage this mixing of HTTP and HTTPS across form
submissions as it's disorienting for the user who looks for the "Lock" icon
in their browser's status bar while on the form submission page but do not
see it because the form itself is not encrypted.
A perfect case-example is http://www.bofa.com who use a non encrypted page
to display the form asking a user to login to access online banking. While
the username/password is sent to an HTTPS page for processing and the user's
data is protected, it's not immediately obvious to those who look for that
"Lock" icon before sending critical data.
As a user, I find it annoying.
-Sara Golemon
Office of Human Resources
----- Original Message -----
> Question; if I have a file, form.html and it's called via
>
> http://host/form.html
>
> and in that file it has
>
> <form action="https://host/form.php" method="post">
>
> Is the data being sent securely (encrypted) from the user's browser?
>
> Note that the form page is being displayed with http while the form's
> cgi is being called with https.
>
> I'm seeing this usage more often; it's a bit disturbing to fill in a
> form with confidential information and not see the padlock at the
> bottom of the browser window. My testing leads me to believe that the
> form data is encrypted.
> -----------------------------------------------------------------------
-----------------------------------------------------------------------
The following was automatically added to this message by the list server:
Webnet information is available at <URL:http://webnet.berkeley.edu/>.
This archive was generated by hypermail 2.1.5 : Mon Dec 16 2002 - 17:47:28 PST