Is the initial https: request secure?
Can anyone answer the following: (Assume, IIS, ASP web pages)
A non-SSL page has userid/password input fields. This page posts to a secure
(https) page. Is all the data encrypted?
I have seen several sites that have a nonsecure 'login' page that posts to
a scure page. While other sites, make the user proceed to a secure page before
logging in. Is one option more secure?
I have not been able to get a solid answer on this. My feeling is the browser
recognizes the 'https' in the URL and creates a secure session before posting
the data, but I would hate to be wrong.
Please, any comments would be helpful.
[683 byte] By [
Brit] at [2007-11-9 23:52:13]
# 1 Re: Is the initial https: request secure?
"Brit" <kbpair@yahoo.com> wrote in news:3c98dbc3$1@10.1.10.29:
>
> Can anyone answer the following: (Assume, IIS, ASP web pages)
>
> A non-SSL page has userid/password input fields. This page posts to a
> secure (https) page. Is all the data encrypted?
Yes. It is. The unsecure page is on the user's computer. Data is encrypted
based on the link go you *to*.
>
> I have seen several sites that have a nonsecure 'login' page that posts
> to a scure page. While other sites, make the user proceed to a secure
> page before logging in. Is one option more secure?
No, but it looks like it to the average person. If people don't see the
little locked padlock on the form page, they think it's unsecure. So many
sites make that page SSL, too.
>
> I have not been able to get a solid answer on this. My feeling is the
> browser recognizes the 'https' in the URL and creates a secure session
> before posting the data, but I would hate to be wrong.
>
> Please, any comments would be helpful.
>
Slashdot has covered it recently, in some detail. The reason to make the
form page secure is pure PR, not technical.
Terry Austin
