Question

I have SSL on my website....when the user logs in from a http page the form action is sent to https page, would this still secure the posted data?

Or would it be better to have the form and the page it is posted to both SSL?

Thanks

Answer 1

It is absolutely necessary for both the page with the form AND the page being submitted to to be HTTPS. Unless the page with the form has HTTPS, you can make no guarantees about where that form is submitting to. It may not actually submit to an HTTPS page (are you expecting your visitors to view the source) or something may have inserted some malicious javascript to redirect the form to somewhere else. However if the form is also HTTPS then you know that it hasn t been tampered with.

Security is more than just ticking a box saying "I have encryption", it s a whole process.

But here s the important part (and why the only correct answer to this question is "both FROM and TO must be HTTPS) that most people forget: HTTPS (and SSL/TLS in general) isn t just encryption, that is only a part of it. It s about TRUST:

You know where your data is being submitted to. This includes not just the server hostname but also the identity of who that hostname represents
You know that nothing has been tampered with along the way

Without HTTPS on the FROM page, #2 above can t be guaranteed (the FROM page could be tampered with) which means that #1 can t be guaranteed. After all, if your form were somehow tampered with, how do you know what that form will do with your data in the end?

Answer 2

Yes the transmission of the form data is still secure. You can use a network sniffer (Fiddler, NetMon, ...) to validate this. But for the user experience you should still put your login form on an SSL site. That way they see the "lock" icon in their browser. Also, there s no guarantee that the form hasn t been tampered with if you don t use SSL (as Adam said).

Answer 3

You need to have the form page with SSL to be secure.

友情链接