Re: Internet Explorer SSL encoding

From: Alun Jones (alun@texis.com)
Date: 10/09/02

Next message: Whitney: "Login Password ??"
Previous message: Philippe Signoret: "Re: help"
In reply to: Jon Keeney: "Internet Explorer SSL encoding"
Next in thread: S. Pidgorny [MVP]: "Re: Internet Explorer SSL encoding"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: alun@texis.com (Alun Jones)
Date: Wed, 09 Oct 2002 01:47:34 GMT

In article <9db501c26f22$72d41cb0$35ef2ecf@TKMSFTNGXA11>, "Jon Keeney"
<jon_keeney@itsolutionstx.com> wrote:
>I have a web page at an http address. On this web page, I
>have a form that uses the post method to send a username
>and password to a secure script using action="https://
>
>A security company is telling my customer, a bank, that
>the data sent sent is not encrypted and is not secure.

It's possible - there are some cases where the form is displayed using
https://, and yet the post method is done through http://. More likely, from
the way you've phrased your question, is that the security company took a look
at the form displayed on the screen, noticed that the lock wasn't there, and
assumed that it was unsecured. But then again, so will your users.

>It is my understanding that there is communication between
>IE and the https server before any data is sent and then
>the data is encrypted. Is this correct.

Yes - the host name is resolved to an IP address, a connection is made to port
443, and _immediately_, the SSL negotiation starts. All data is then
encrypted. One thing you could do is put a network trace between the client
and the server, and demonstrate that the text is not sent in the clear.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]

-- 
Texas Imperial Software   | Try WFTPD, the Windows FTP Server. Find us at
1602 Harvest Moon Place   | http://www.wftpd.com or email alun@texis.com
Cedar Park TX 78613-1419  | VISA/MC accepted.  NT-based sites, be sure to
Fax/Voice +1(512)258-9858 | read details of WFTPD Pro for XP/2000/NT.

Next message: Whitney: "Login Password ??"
Previous message: Philippe Signoret: "Re: help"
In reply to: Jon Keeney: "Internet Explorer SSL encoding"
Next in thread: S. Pidgorny [MVP]: "Re: Internet Explorer SSL encoding"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

HTTP POST from ASP Page
... data from an ASP page to another server via HTTP, using a POST method. ... authentication and the HTTP connection is actually and HTTPS ...
(microsoft.public.inetserver.asp.general)
RE: Outlook RPC over HTTp deosnt work
... try to use RPC over HTTP to connect the Exchange Server. ... What SBS is running on the problematic Server? ...
(microsoft.public.windows.server.sbs)
Re: RPC over HTTP
... I will help you with the PRC over Http issue in this thread. ... and go through the Internet option. ... On the Web Server Certificate page shows. ... Microsoft CSS Online Newsgroup Support ...
(microsoft.public.windows.server.sbs)
Re: Getting a number from a string
... server, issues a URL specifying one of my CGI applications. ... POST method, all that data is queued on standard input. ... encoded data will be passed to that debug loop, so I have to be careful ...
(comp.lang.lisp)
Re: RPC over HTTP
... Are there any other ways of configuring the RPC over HTTP? ... Outlook Web Access, Business Website and so on. ... On the Web Server Certificate page shows. ...
(microsoft.public.windows.server.sbs)