Re: OT, security of non-https transaction

Dave wrote:
Thanks for the information on that. I didn't realise the "s" could be absent and
the link still "secure". I just went through completing the form again and (I
must have missed this before), my client browser popped up a msg saying this
link IS encrypted/secure.

It's where the data goes that is important. It is possible to present a form
via https, and send the results in a really insecure manner by say, submitting
the form via METHOD="GET" to a http (no 's') page, in which case any entered
details would be part of the URL (in the format of
http://server.address.here/path/file.html?CREDIT_CARD_NO=1234567890123456 but
anyone with half a clue wouldn't be _that_ stupid (although now I mention it,
I'm bound to find someone, eh?)

So, the form can be presented via http, but submitted via https. This is not
ideal, for the reasons given in the articles linked to earlier (i.e https not
only provides transit security, but also provides for server authentication,
i.e. you know who you are talking to)

Personally, I'd rather send credit card information and other sensitive stuff
via email, encrypted using GPG, but because this has not been made user-friendly
enough, virtually nobody accepts it, and government isn't exactly going to
encourage it, because we can't have usable, secure encryption in the hands of
the masses now, can we?

(ooops, just labelled myself as a islamic christian buddhist athiest-extremist
far-right communist far-left revolutionary separatist environmental animal
rights activist fascist anti-governmental weirdo terrorist in every government
usenet-scanning engine worldwide... Oh dear.)
.

Relevant Pages

  • Re: Is this REALLY a secure site?
    ... >> How can anyone really know if an SSL or HTTPS connection is truly ... Even if it is theoretically secure ... major credit card company wound up making the authorization against my ... > site uses a numerical IP address: those are always bogus. ...
    (microsoft.public.windowsxp.general)
  • Re: Secure an upload page
    ... The most secure way to do downloads might be to use NTFS ... If the upload page ... I am using https ...
    (microsoft.public.inetserver.iis.security)
  • Re: At What Point Does the Security Begin?
    ... All secure forms examine this variable, and if empty redirect to the ... all pages behind the login are posted through SSL. ... in which I understand .NET uses a cookie behind ... not secure (it's called at http, not https) but posts to a page ...
    (microsoft.public.dotnet.security)
  • Re: Ethernet cable question.
    ... I have developed Web HTTPS site ... solutions on the server and on the client end. ... *CAN* be secure. ...
    (microsoft.public.windows.vista.general)
  • Re: Setting up HTTPS w/subdomain on Apache2
    ... Secure data transfer ... The docs recommended using SSL, ... I'm mistaken, HTTP w/SSL = HTTPS. ... Authentication would be basic or digest (Personally I'm using basic ...
    (Ubuntu)