tags:

views:

115

answers:

5
+6  Q: 

Is info still encrypted if I use a <form action="https"> from a regular http page?

Say I'm at the url http://mysite.com/form.html. When viewing source, I see

<form method="post" action="https://mysite.com/process"&gt;
<input type="text" name="user" value="information">
<input type="submit">
</form>

If I hit the submit button, will the form information be encrypted when it's sent to the process page/controller?

+1  A: 

Yes, it will be encrypted.

Andy E  2010-03-30 15:10:59
+4  A: 

Yes - the data in the form will be sent encrypted using the usual handshake that SSL implements. From there you can choose to keep your user under SSL, or throw them back to a standard connection using a session identifier.

Seidr  2010-03-30 15:11:01
A: 

It will be encrypted on the lower network levels (e.g. raw packets, TCP, IP, Ethernet) not on application level (since it is transparently decoded at the receiver's side).

A man in the middle would not see the plain text of your submitted form data when the target URL uses encryption (like HTTPS does).

Robert  2010-03-30 15:14:15
+3  A: 

Yes it will, but note that a fair amount of effort has been put into training users to look for the SSL padlock on the page containing the form (whether the training is effective is a different matter). Browsers will, in general, complain if a form on a secure page is submitted to an insecure page, so this the trained behaviour does have a positive purpose.

If you do implement your form like this, the user will have no way to know that the form submission will be secure (without looking at the page code) until they hit submit. This may not matter in your use-case, but it does go against the attempts to train people to look for the padlock if the data in the form is such that the user should only be submitting it securely.

Andrew Aylett  2010-03-30 15:23:07
thank you, that's a good point!
John  2010-03-30 17:39:03
+1  A: 

There is no guarantee that it will be encrypted, or that the submitted data will reach your website.

Since the original response was over http, a man-in-the-middle could have altered your html source, or could have inserted some javascript to modify the action parameter of your form. Thus, your form could read like this when it reaches the browser 

<form method="post" action="https://evilsite.com/process"&gt;
<input type="text" name="user" value="information">
<input type="submit">
</form>

Which means that you MUST use HTTPS on all your pages if you want to be secure.

sri  2010-03-31 21:54:07
A very good point
SLC  2010-04-30 12:14:16

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?