The form page that you fill in can be unsecure (HTTP) but the target page/URL to which the data is sent can be secure (HTTPS) and this is not a security problem per se. But many people expect even the form page to be secure.
There's no sensitive data sent in the clear in the scenario that I outlined above. The user gets the form via an unsecure (sic.?) link, fills in the data via their browser and this (possibly sensitive data) gets submitted via a secure link. Obviously there are other risks such as keylogging etc. but that is not the focus of this thread.Unless someone setups a MITM or Browser jacking session which captures all that data in unencrypted format.
Then there is an unnecessary exposure of sensitive data.
There's no sensitive data sent in the clear in the scenario that I outlined above. The user gets the form via an unsecure (sic.?) link, fills in the data via their browser and this (possibly sensitive data) gets submitted via a secure link. Obviously there are other risks such as keylogging etc. but that is not the focus of this thread.
http://ask.metafilter.com/48531/are-http-forms-posted-thru-https-secureI'm intrigued. Can you explain further please about where the encryption happens ?
I don't think that anybody should use that method. Better to secure both the URL from which the form is retrieved and also the URL to which the data is sent even if the former may be somewhat redundant subject to caveats such as you and that link mention...
We use cookies and similar technologies for the following purposes:
Do you accept cookies and these technologies?
We use cookies and similar technologies for the following purposes:
Do you accept cookies and these technologies?