Posted by Jukka K. Korpela on 11/27/05 16:17

"Sparticus" <sparticusREMOVE@thesparticusarena.com> wrote:

> I was looking at websites such as hotmail.com. If you notice when you
> go to hotmail.com and try and log in, it isn't a "secure site".

The page containing the login form is indeed sent via http, not https.
It doesn't really matter, except in the sense that people may have been
misled into thinking that it does (and even look for a lock symbol to
indicate "secure site"). The page is sent unencrypted, but who cares?
It's publicly accessible anyway.

> I did
> notice that the 'form action' is sent to a secure site (ie. https).

Indeed. That's what matters.

> How does that help?

By making data transmission from your browser to the server encrypted.

> Just because you send the form data to a secure
> site, the data is still sent in plain text to the secure site....
> right?

Wrong. It's the action attribute that matters, not the URL of the page
containing the form. The action attribute determines the address to be used
in the transaction where your data is sent.

--
Yucca, http://www.cs.tut.fi/~jkorpela/
Pages about Web authoring: http://www.cs.tut.fi/~jkorpela/www.html

[Back to original message]