Question about posting and HTTPS

sholodak

Hi,

I'm wondering whether or not the data being posted in the following scenario is actually encrypted or whether it goes through in cleartext.

There is a page with a login and password box. The page that it is served from is over an [url]http://[/url] connection. The form method is post and the action contains [url]https://[/url] in the URL.

An example of this is www.verizonwireless.com which has a login/password box in the header but is not loaded over HTTPS. The form is posted to a script that is.

I know that in peoples browsers, they won't see the lock or yellow title bar while entering their passwords and generally won't feel secure, but are they?

Thanks,
Scott

devinemke

there is absolutely no security benefit to serving up the initial form securely because at that point no data has yet been sent from the client to the server.

as to the psychological benefit of users seeing a little yellow lock on their browser when they fill out a form is another matter (beyond the scope of a PHP forum).