[Rainy Day]

I have a custom default page for my browser which contains, among other things, a button like this:
</font><blockquote><font size="1" face="Geneva, Verdana, Arial, sans-serif">code:</font><hr /><pre style="font-size:x-small; font-family: monospace;">&lt;td align=&quot;center&quot;&gt;
&lt;form ACTION=&quot;https://X.com/&quot; NAME=&quot;login&quot; ID=&quot;k2&quot; METHOD=&quot;post&quot;&gt;
&lt;input TYPE=&quot;hidden&quot; NAME=&quot;username&quot; VALUE=&quot;MyName&quot;&gt;
&lt;input TYPE=&quot;hidden&quot; NAME=&quot;password&quot; VALUE=&quot;secret&quot;&gt;
&lt;input NAME=&quot;SUBMIT&quot; TYPE=&quot;SUBMIT&quot; VALUE=&quot;Login&quot;&gt;
&lt;/form&gt;
&lt;/td&gt;</pre><hr /></blockquote><font size="1" face="Geneva, Verdana, Arial, sans-serif">My local page is an "insecure" connection, in that it's not encrypted, but since it's coming off my HD it's effectively secure.

What i'm wondering is, when i click on the button above, am i transmitting the username and password in the clear, or is it encrypted? The URL is to a secure server, but since a connection to a secure server has yet to be established, i'm thinking it might be sent in the clear without encryption. Doesn't the server have to send a public key to the browswer before encryption can begin? And wouldn't the form/button data be sent immediately? Or is there actually a handshaking process which occurs that would protect the form data (since the METHOD is a POST and not a GET)?

[Vasudevelopa]

That form is not secure. You have to secure the connection then send information.

[macvillage.net]

Haven't read https specs cover to cover, but I would encrypt the page the form is on itself. Your right, it *should* be secure because the data transmission is via POST or GET using https.

But the user won't know for sure until after they press the submit button. That isn't nice. I know I peresonally check before I submit anything to see the lock closed on my browser.

[ilukas]

for the reasons given by macvillage, you should access the page over https, since the input is hidden and the user/passwd would be visible in the HTML source.

[Raman]

O.K. for the real answer now:

If you're accessing the page with the form over HTTPS (I.e. the user typed <a href="https://www.yourdomainname.com/default.html)" target="_blank">https://www.yourdomainname.com/default.html)</a> then its secure.

If that form was accessed via HTTP then when the end user fills out the form and clicks submit the stuff gets sent to your HTTPS page unencrypted - leaving your stuff to get hijacked/sniffed.

What you can do if you want the form to be secure but dont' want to tell people they need to type HTTPS is to do a redirect to teh login page i.e. your index.html has a meta-refresh of 0 seconds with the <a href="https://www.yourdomainname.com/login.html" target="_blank">https://www.yourdomainname.com/login.html</a> page as the target page. This way people browse to the default page, get sent to the secure HTTPS page which has the form on it, they then fill out the form, press submit which gets sent to a secure page via your form action. The whole thing is encrypted.