A HTTP Secure form on a static HTTP-only website - how secure are the submissions?

Question

I have a website on a normal shared webhosting, with no HTTPS.

On the website I have a form posting to the provider JotForm with a HTTPS URL.

Will these submissions be securely transferred?

Answer 1

An adversary with the capability to intercept, but not tamper with, traffic on the wire would not be able to view the user's form submissions, as this data would be sent over HTTPS and encrypted. In this sense, the proposed approach is more secure than sending the content in plaintext.

However, the approach is vulnerable to other classes of attack. A principal vulnerability with this approach is that the non-secure form provides no integrity assurance. An attacker with the ability to alter plaintext on the wire could simply tamper with the non-secure form as it is being transmitted to the user. With this capability, an attacker could (as examples):

• Change the form ACTION parameter to post to a page controlled by the attacker, either to obtain the data or execute a Man-in-the-Middle attack.
• Inject JavaScript code to intercept form values
• Change the elements the form collects
• Force form values to coerce the user into submitting unintended content

A second, human factors, issue is that the end user will not be able to ascertain the website secure (e.g., the browser cannot examine the certificate before submitting the form, and the page will not show elements associated with pages loaded over HTTPS). This could induce reluctance on the part of users to complete the form, particularly if end users consider the material being submitted as confidential.