PHP : Posting to SSL - Clarification?

Question

Probably pretty basic question, but I’m a bit confused after reading similar questions and answers so hoping for more clarification.

If I have a non-secure page and have a form which posts to a protected one, will the data be encrypted once submitted?

Example: http://example.com/login.php

has a form that posts to secure page:

https://example.com/do.php” method=“post”> .....

Is that enough to make it a secure post or does the initial page have to be secure as well? No ajax or anything, just php...

Answer 1

Anything you post over SSL is secure in transit. But that is not where your problem would be.

If you have an insecure page http://example.com/login.php, an attacker can change the page when a user downloads it, because there is no security (no encryption, no integrity protection, nothing). The attacker can change the form to send the credentials from a login plaintext. Or send it to the attacker's server instead. Or inject any javascript, like for example to send every keystroke to the attacker right as keys are pressed. The attacker has full control over a page downloaded via plain http.

Why would an attacker then bother with the encryption in the next post? He can already have all the info before that post takes place.

So in short, if the original page was downloaded via plain http, there is (almost) no point in making a subsequent request over ssl - anything in the ssl request can be known to the attacker already. (Note that some special cases may be exceptions from this, but in general, this is the case.)

One notable exception is when it's not the request that needs to be protected, but the response - that will be encrypted in an ssl exchange, and I think a different protocol, https vs http will count as a different origin, so it will be harder to get info from the response even if javascript is injected into the original plaintext page. But this is not the case for the supposed functionality of a login.php - that must be served over https.