Is a signon to an SSL site from an http:// page secure?

[Frank DiPrete]

On Thu, 2005-06-23 at 13:41 -0400, Ted Roche wrote:
> I always thought that you needed to be using an https:// page before  
> sending user names and passwords to log in. My credit union claims  
> this isn't true, and that since clicking the signon button takes you  
> to an SSL page, the information typed in is transmitted securely. I  
> have my doubts. Here's a portion of their claim, from the front page  
> of http://www.navyfcu.org. I'd welcome opinions.
> 
> "Your experience online is very important to Navy Federal, and the  
> Account Access Sign On is conveniently located on our Navy Federal  
> home page. However, you may have recognized that, when you are on the  
> home page, the familiar security symbols do not appear in your  
> browser to symbolize that the page is secure. In fact, the home page  
> itself is informational and not encrypted. Therefore it does not  
> display the familiar “Lock” symbol in the bottom right–hand corner,  
> nor does the address line begin with https. However, it is “safe” to  
> enter your sign-on information from the home page. Your Access  
> Number, User ID and Password are not transmitted until you click the  
> “Sign On” button. After you click the “Sign On” button, a secure,  
> encrypted connection is established between your personal computer’s  
> browser and our Navy Federal systems, using Secure Socket Layers  
> (SSL). After you click “Sign On”, you can validate that SSL is being  
> used by seeing that “https” is displayed at the beginning of the data  
> in your browser’s address line."
> _______________________________________________
> gnhlug-discuss mailing list
> gnhlug-discuss at mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
-- 

</lurk mode>

This is correct. The form will call another URL (probably POST).
Check the page source and lookk for the form's script URL - it probably
begins with https://

<lurk mode>



Frank DiPrete <fdiprete at comcast.net>