Is HTTPS as the (HTML) form's action enough for the form data to be SSL encrypted for submission?
Or does the page that hosts the form have to be HTTPS as well?
Asked
Active
Viewed 6,301 times
3 Answers
11
If the page the form is hosted on is not served over HTTPS, then it can be intercepted and modified en route. These modifications can include such things as changing the action of the form, or adding JavaScript to send the data to a third party before submitting the form as normal.
Submitting the form over HTTPS is not sufficient to protect the data. The form needs to be delivered that way too.
Quentin
- 914,110
- 126
- 1,211
- 1,335
4
HTTPS on the form's action is sufficient to encrypt the form submission.
The page that hosts the form doesn't have to HTTPS, although it helps to give the users confidence that their data is secure.
The other benefit of securing the hosting page is that the form can't be spoofed or altered by a man-in-the-middle.
Andrew Cooper
- 32,176
- 5
- 81
- 116
-
While it works, there are a bunch of reasons not to do, the right answer is while it is possible don't do it because the user is unaware. – stephbu Jan 11 '11 at 23:44
-
@stephbu: Agreed - and I listed two of those reasons in my answer. – Andrew Cooper Jan 11 '11 at 23:55
-
Hehe - my original comment was truncated - I'd put that I would have voted for @stian, being newer, but your customer focused reasons are far more accurate. – stephbu Jan 12 '11 at 00:09
-
“other benefit” is an understatement! If the form action is spoofed, there is HTTPS after all. So it is **not** sufficient. – Martin Ueding Sep 24 '14 at 18:32
2
It is enough if all you want to do is wave the magical encryption fairy dust around. It's not enough if you want to actually be secure. Any man-in-the-middle attack could simply rewrite the form HTML to post to a malicious server.
Jim
- 72,985
- 14
- 101
- 108