hwg-servers archives Jul 2001 new search results previous next

RE: ssl forms

by jim <jim(at)newglobal.net>

 Date:  Fri, 13 Jul 2001 22:18:36 -0500
 To:  hwg-servers(at)hwg.org
  todo: View Thread, Original 
The missing little lock symbol can cost plenty of customers. Realizing that 
a huge majority of people know nothing about web servers, secure or 
otherwise, but react to what they are told makes a secure transaction. If 
their understanding's not satisfied by seeing the "safe little icon" their 
business is off to the next website.

Not meaning to break open a whole new can of worms, but if the average 
consumer knew what was happening behind the scenes I think web based cc 
sales would be in big jeopardy. For example, I wonder, how many sites use 
SSL to process credit cards only to send that information by an insecure 
mailer to an address somewhere off server? How secure is that?

Jim

At 01:07 PM 7/13/01 -0700, you wrote:
>If it's no big deal to have the blank form on the https server, then I'd put
>it there. I am always wary of seeing a form without the little lock symbol
>in the bottom of the browser.
>
>Chuck Evans
>
>-----Original Message-----
>From: Mailing List Account [mailto:ml(at)digitaldaze.com]
>
>I see a lot of misinformation about this all the time.  Too many people
>believe the that initial blank page being sent to their web browser needs
>to be encrypted.  Think about that for a minute.  Is there anything
>sensitive on that initial page when it is send from the web server to the
>web browser?  No.  So no encryption is required.
>
>After you fill out the form, you will want your data to be encrypted for
>the journey to the destination web server.  This is what the form post to
>https:// does.
>
>The big thing to remember is that SSL only encrypts the data during
>transmission.  It does not encrypt it while you are typing it in, nor does
>it stay encrypted once it has been saved on the destination server.
>
> > I saw some websites asking for credit card info via a non-secure form
>page,
> > but the submit called a secure form.  Now, my understanding was that
>hitting
> > submit on the browser from the non-secure form sent the info to the
> > webserver to then pass to the secure form, via http and not https.  It was
> > my understanding that the form info was sent prior to calling up the
>secure
> > form and is passed to the secure via the submit function.
> >
> > Some of those on that other forum stated that the info would be secured
> > because you are submitting to a secure page(https).  I haven't had time to
> > verify this via a sniffer, but was wondering if anyone here has tested
>this
> > to know for sure.

HWG: hwg-servers mailing list archives, maintained by Webmasters @ IWA