Security Basics mailing list archives

Re: Encrypted or Not Encrypted

From: Roman Fulop <ml () ensof1 trithem sk>
Date: Fri, 12 Sep 2008 09:28:37 +0200

Hi,
AFAIK, the SSL handshake occurs before sending HTTP request.

amatachick () gmail com wrote:

I've run into this issue a few times now and would like to know what y'all think. Here is the situation: A website 
not using SSL has a login page. As soon as credentials are entered on this page they are redirected to a site using 
SSL. Here is a specific example of the code on one such site:
<form name="loginpersonal" method="POST" action="https://secure.sitename.com/engine/login/login.asp"; onSubmit="return 
checkLoginForm(this);">
   <input type=hidden name=IsPostback value=1>

Now, from what I understand, the login credentials would still be unencrypted while traveling to the secure site. So 
that would negate the effect of having it redirect to a secure site in the first place. Right? I keep brining up this 
fact but all I get back is that it's being redirected so it's secure. I feel like I'm taking crazy pills here so I'd 
appreciate some feedback. Am I wrong? If I am I can handle that, I'd just like to know. Thanks!

Current thread:

Encrypted or Not Encrypted amatachick (Sep 11)
- Re: Encrypted or Not Encrypted Roman Fulop (Sep 12)
  - Re: Encrypted or Not Encrypted Gregory Rubin (Sep 16)
- Re: Encrypted or Not Encrypted Garry Baker (Sep 12)
- RE: Encrypted or Not Encrypted Eifrém Strinnholm Jonas (Sep 12)
  - Re: Encrypted or Not Encrypted Rob (Sep 16)
    - Re: Encrypted or Not Encrypted Douglas C. Duckworth (Sep 16)
    - RE: Encrypted or Not Encrypted Basha, Arif (Sep 16)
    - Re: Encrypted or Not Encrypted Douglas C. Duckworth (Sep 17)
    - Re: Encrypted or Not Encrypted Roman Fulop (Sep 18)
    - Message not available
    - Re: Encrypted or Not Encrypted Roman Fulop (Sep 19)
    - Re: Encrypted or Not Encrypted Rob (Sep 17)

(Thread continues...)