Midnight Voices (https://www.peteatkin.com/cgi-bin/mv/YaBB.cgi)
Atkin admin >> Tech >> HTML/SSL question
(Message started by: Gerry Smith on Today at 16:23)

Title: HTML/SSL question
Post by Gerry Smith on Today at 16:23
I'm hoping a tech savvy MV might be able to answer a question I have relating to HTML forms and HTTPS links.

I have an HTML form which resides on a standatd, non-secure http:// page. The 'send' button on the form invokes the following code:

<form action="https://secure.magic-moments.com/thenew/cgi-bin/SimpleSecure.pl" method="post">

Someone is claiming that despite this, since the form itself resides on a non-secure page, the data is sent out via port 80 and not 443. Personally I don't see how this can be the case - on clicking the 'send' button the usual warning that you are about to view pages over a secure connection pops up and nothing is sent before 'OK' is clicked.

Any advice gratefully received.



Title: Re: HTML/SSL question
Post by Snoopy on Today at 17:08
You are entirely correct - because the script that is called by the form is on an SSL-encrypted site, the data passed from the user's web browser across the internet will be encrypted.

However, persuading someone who is convinced otherwise that this is the case is less trivial.  The recent push in security has caused many people to be very suspicious if they don't see the padlock icon, and for (reasonably) good reasons.

As an example of why your site is technically encrypted but still off-putting, imagine the reverse situation, where your script is not hosted on a HTTPS site.  Until the point I hit submit on that form, short of examining the source code of your webpage, I have no proof that the data is going to be encrypted.  The only indication of this occurs after I hit the submit button, at which point it will pop up a 'secure connection' notification.  

But if the form is on an open HTTP site, I don't get any warning at all - I've just submitted my data over an open link!  In other words, your site is giving security feedback only after the point of no return - if it's not encrypted, it's too late, and I can't get my data back.  It's not unreasonable for people to be cautious in this situation.

If possible, you should really attempt to get the form itself hosted on the HTTPS server as well.  This gives much more protection for the customer, as they both have the padlock icon in their browser (and can examine your security certificate's credentials before submitting data), and they will get a warning if the data they submit is not being sent over a secure link.

Title: Re: HTML/SSL question
Post by Gerry Smith on Today at 17:30
Many thanks, Snoopy. Glad I'm not going mad (did that years ago!). Your advice is good though - I've had this complaint several times now. Might be better just to host the page on the secure server.

I didn't do this originally because the page in question is entitled 'subscription information' and just happens to have the form on it in case anyone decides to subscribe. I thought if people see the SSL 'warning' - which is often associated with parting with money -  before they've read the info, it might put some people off and hence lose customers.

Thanks for your good advice.


Midnight Voices » Powered by YaBB 1 Gold - SP 1.3.1!
YaBB 2000-2003. All Rights Reserved.