secure site ? NoT!

Yes, you are wrong, but you're not the first person to ask this
question and you probably won't be the last.

Read this KB article for a more detailed explanation of how the SSL
handshake process takes place :

Description of the Secure Sockets Layer (SSL) Handshake
http://support.microsoft.com/?id=257591


Regards,

Paul Lynch
MCSE
 >> Stay informed about: secure site ? NoT! 

Yes i know it posts to a secure site.
But the info is unsecured until it reaches that site. However it sounds
like i am wrong

"Ohaya" <ohaya.RemoveThis@cox.net> wrote in message
news:Oq6vXgalDHA.2328@TK2MSFTNGP10.phx.gbl...
 > Jeff,
 >
 > I think that if you look at that page (Right click -> View Source), you'll
 > find that clicking on the Sign On causes a POST to:
 >
<font color=purple> > <a style='text-decoration: underline;' href="https://online.wellsfargo.com/</font" target="_blank">https://online.wellsfargo.com/</font</a>>
 >
 > Since the POST is being done to an https:, that link will be SSL-secured.
 >
 >
 >
 > "Jeff Clark" <JeffC.RemoveThis@NO_SPAMreturnventures.com> wrote in message
 > news:unJPyUYlDHA.988@TK2MSFTNGP10.phx.gbl...
  > > oops.
  > >
  > > Go here.
<font color=green>  > > <a style='text-decoration: underline;' href="http://www.wellsfargo.com/</font" target="_blank">http://www.wellsfargo.com/</font</a>>
  > >
  > > When you sign on you are not on a secure page. Therefore your userid
and
  > > password are not secure.
  > > Sure, they send you to a SSL page, but that is after you have sent your
  > > userid and password over the net.
  > >
  > > Am I wrong?
  > >
  > >
 >
 ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: secure site ? NoT! 

thanks


"Paul Lynch" <paul.lynch.TakeThisOut@nospam.com> wrote in message
news:t6m2pv45b5ibmok5qmvl9cfpcreb1bq3ja@4ax.com...
 > Yes, you are wrong, but you're not the first person to ask this
 > question and you probably won't be the last.
 >
 > Read this KB article for a more detailed explanation of how the SSL
 > handshake process takes place :
 >
 > Description of the Secure Sockets Layer (SSL) Handshake
<font color=purple> > <a style='text-decoration: underline;' href="http://support.microsoft.com/?id=257591</font" target="_blank">http://support.microsoft.com/?id=257591</font</a>>
 >
 >
 > Regards,
 >
 > Paul Lynch
 > MCSE<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: secure site ? NoT! 

Jeff,

I know you're wrong ( - just kidding!), but I'm still kind of confused
about why you thought you were right.

I've gone back and re-read your original post, and I still don't
understand your concern. The way that this works is:

1) you got to the original <a style='text-decoration: underline;' href="http://www.wellsfargo.com" target="_blank">http://www.wellsfargo.com</a>
2) <a style='text-decoration: underline;' href="http://www.wellsfargo.com" target="_blank">www.wellsfargo.com</a> serves an HTML page using HTTP (i.e., the served
page is not encrypted when it is served)
3) User types his/her username and password into the text boxes on the
served page, then clicks "> Sign on" button
4) Browser makes an SSL connection to <a style='text-decoration: underline;' href="https://online.wellsfargo.com," target="_blank">https://online.wellsfargo.com,</a>
then once this SECURE, ENCRYPTED connection is established, the browser
sends the username and password (does the POST) to the site. This data
is sent over the SECURE, ENCRYPTED connection.


So, per above, when the username and password are sent to the host, this
is done over a SECURE, ENCRYPTED SSL connection, so I don't understand
"But the info is unsecured until it reaches that site." part of your
post below.

What am I misunderstanding here??




Jeff Clark wrote:
 >
 > Yes i know it posts to a secure site.
 > But the info is unsecured until it reaches that site. However it sounds
 > like i am wrong
 >
 > "Ohaya" <ohaya.RemoveThis@cox.net> wrote in message
 > news:Oq6vXgalDHA.2328@TK2MSFTNGP10.phx.gbl...
  > > Jeff,
  > >
  > > I think that if you look at that page (Right click -> View Source), you'll
  > > find that clicking on the Sign On causes a POST to:
  > >
<font color=green>  > > <a style='text-decoration: underline;' href="https://online.wellsfargo.com/</font" target="_blank">https://online.wellsfargo.com/</font</a>>
  > >
  > > Since the POST is being done to an https:, that link will be SSL-secured.
  > >
  > >
  > >
  > > "Jeff Clark" <JeffC.RemoveThis@NO_SPAMreturnventures.com> wrote in message
  > > news:unJPyUYlDHA.988@TK2MSFTNGP10.phx.gbl...
   > > > oops.
   > > >
   > > > Go here.
<font color=brown>   > > > <a style='text-decoration: underline;' href="http://www.wellsfargo.com/</font" target="_blank">http://www.wellsfargo.com/</font</a>>
   > > >
   > > > When you sign on you are not on a secure page. Therefore your userid
 > and
   > > > password are not secure.
   > > > Sure, they send you to a SSL page, but that is after you have sent your
   > > > userid and password over the net.
   > > >
   > > > Am I wrong?
   > > >
   > > >
  > >
  > ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: secure site ? NoT! 

Hey i understand your misunderstanding. And I beleive you are right and I
am wrong, although I don't understand the microsoft article.

Since you asked , here is what I was thinking:

I want my money to be in the Wells Fargo Armored Bank because it is secure
like SSL.

If I have to drive my money in my Dodge Colt of a browser just to get it to
the secure SSL armored bank, then, for at least a few moments the money was
not secure.

I have to send my unencrypted password and username across the unsecure net
just to hit the secure site.
During that brief ride the data was not secure.

OR so it would seem, but i see i need not worry. But I don't know why except
to say there is secure handshake this, secure handshake that going on
between the target server and my broswer

Thanks!!



"Ohaya" <ohaya DeleteThis @cox.net> wrote in message news:3F9206DE.12F4FE7A@cox.net...
 > Jeff,
 >
 > I know you're wrong ( - just kidding!), but I'm still kind of confused
 > about why you thought you were right.
 >
 > I've gone back and re-read your original post, and I still don't
 > understand your concern. The way that this works is:
 >
<font color=purple> > 1) you got to the original <a style='text-decoration: underline;' href="http://www.wellsfargo.com</font" target="_blank">http://www.wellsfargo.com</font</a>>
 > 2) <a style='text-decoration: underline;' href="http://www.wellsfargo.com" target="_blank">www.wellsfargo.com</a> serves an HTML page using HTTP (i.e., the served
 > page is not encrypted when it is served)
 > 3) User types his/her username and password into the text boxes on the
 > served page, then clicks "> Sign on" button
<font color=purple> > 4) Browser makes an SSL connection to <a style='text-decoration: underline;' href="https://online.wellsfargo.com,</font" target="_blank">https://online.wellsfargo.com,</font</a>>
 > then once this SECURE, ENCRYPTED connection is established, the browser
 > sends the username and password (does the POST) to the site. This data
 > is sent over the SECURE, ENCRYPTED connection.
 >
 >
 > So, per above, when the username and password are sent to the host, this
 > is done over a SECURE, ENCRYPTED SSL connection, so I don't understand
 > "But the info is unsecured until it reaches that site." part of your
 > post below.
 >
 > What am I misunderstanding here??
 >
 >
 >
 >
 > Jeff Clark wrote:
  > >
  > > Yes i know it posts to a secure site.
  > > But the info is unsecured until it reaches that site. However it sounds
  > > like i am wrong
  > >
  > > "Ohaya" <ohaya DeleteThis @cox.net> wrote in message
  > > news:Oq6vXgalDHA.2328@TK2MSFTNGP10.phx.gbl...
   > > > Jeff,
   > > >
   > > > I think that if you look at that page (Right click -> View Source),
you'll
   > > > find that clicking on the Sign On causes a POST to:
   > > >
<font color=brown>   > > > <a style='text-decoration: underline;' href="https://online.wellsfargo.com/</font" target="_blank">https://online.wellsfargo.com/</font</a>>
   > > >
   > > > Since the POST is being done to an https:, that link will be
SSL-secured.
   > > >
   > > >
   > > >
   > > > "Jeff Clark" <JeffC DeleteThis @NO_SPAMreturnventures.com> wrote in message
   > > > news:unJPyUYlDHA.988@TK2MSFTNGP10.phx.gbl...
   > > > > oops.
   > > > >
   > > > > Go here.
<font color=brown>   > > > > <a style='text-decoration: underline;' href="http://www.wellsfargo.com/</font" target="_blank">http://www.wellsfargo.com/</font</a>>
   > > > >
   > > > > When you sign on you are not on a secure page. Therefore your
userid
  > > and
   > > > > password are not secure.
   > > > > Sure, they send you to a SSL page, but that is after you have sent
your
   > > > > userid and password over the net.
   > > > >
   > > > > Am I wrong?
   > > > >
   > > > >
   > > >
   > > ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: secure site ? NoT! 

Jeff,

Ahh. Analogies!!

Following on your post, the point that I think that you're not
understanding (no sarcasm intended) is that because the POST is going to
an HTTPS URL, this turns your Dodge Colt INTO AN ARMORED CAR (in your
analogy), so that your money is then secure.

If you look at the beginning of the SSL handshake/protocol, NONE of the
data that you entered (your username and password) is sent in the clear,
i.e., it is encrypted and secure.


In case you're wondering, if the POST URL was to an HTTP URL (rather
than to an HTTPS URL), then the entire session would be in the clear,
and then your username and password would be unsecure.







Jeff Clark wrote:
 >
 > Hey i understand your misunderstanding. And I beleive you are right and I
 > am wrong, although I don't understand the microsoft article.
 >
 > Since you asked , here is what I was thinking:
 >
 > I want my money to be in the Wells Fargo Armored Bank because it is secure
 > like SSL.
 >
 > If I have to drive my money in my Dodge Colt of a browser just to get it to
 > the secure SSL armored bank, then, for at least a few moments the money was
 > not secure.
 >
 > I have to send my unencrypted password and username across the unsecure net
 > just to hit the secure site.
 > During that brief ride the data was not secure.
 >
 > OR so it would seem, but i see i need not worry. But I don't know why except
 > to say there is secure handshake this, secure handshake that going on
 > between the target server and my broswer
 >
 > Thanks!!
 >
 > "Ohaya" <ohaya.DeleteThis@cox.net> wrote in message news:3F9206DE.12F4FE7A@cox.net...
  > > Jeff,
  > >
  > > I know you're wrong ( - just kidding!), but I'm still kind of confused
  > > about why you thought you were right.
  > >
  > > I've gone back and re-read your original post, and I still don't
  > > understand your concern. The way that this works is:
  > >
<font color=green>  > > 1) you got to the original <a style='text-decoration: underline;' href="http://www.wellsfargo.com</font" target="_blank">http://www.wellsfargo.com</font</a>>
  > > 2) <a style='text-decoration: underline;' href="http://www.wellsfargo.com" target="_blank">www.wellsfargo.com</a> serves an HTML page using HTTP (i.e., the served
  > > page is not encrypted when it is served)
  > > 3) User types his/her username and password into the text boxes on the
  > > served page, then clicks "> Sign on" button
<font color=green>  > > 4) Browser makes an SSL connection to <a style='text-decoration: underline;' href="https://online.wellsfargo.com,</font" target="_blank">https://online.wellsfargo.com,</font</a>>
  > > then once this SECURE, ENCRYPTED connection is established, the browser
  > > sends the username and password (does the POST) to the site. This data
  > > is sent over the SECURE, ENCRYPTED connection.
  > >
  > >
  > > So, per above, when the username and password are sent to the host, this
  > > is done over a SECURE, ENCRYPTED SSL connection, so I don't understand
  > > "But the info is unsecured until it reaches that site." part of your
  > > post below.
  > >
  > > What am I misunderstanding here??
  > >
  > >
  > >
  > >
  > > Jeff Clark wrote:
   > > >
   > > > Yes i know it posts to a secure site.
   > > > But the info is unsecured until it reaches that site. However it sounds
   > > > like i am wrong
   > > >
   > > > "Ohaya" <ohaya.DeleteThis@cox.net> wrote in message
   > > > news:Oq6vXgalDHA.2328@TK2MSFTNGP10.phx.gbl...
   > > > > Jeff,
   > > > >
   > > > > I think that if you look at that page (Right click -> View Source),
 > you'll
   > > > > find that clicking on the Sign On causes a POST to:
   > > > >
<font color=brown>   > > > > <a style='text-decoration: underline;' href="https://online.wellsfargo.com/</font" target="_blank">https://online.wellsfargo.com/</font</a>>
   > > > >
   > > > > Since the POST is being done to an https:, that link will be
 > SSL-secured.
   > > > >
   > > > >
   > > > >
   > > > > "Jeff Clark" <JeffC.DeleteThis@NO_SPAMreturnventures.com> wrote in message
   > > > > news:unJPyUYlDHA.988@TK2MSFTNGP10.phx.gbl...
   > > > > > oops.
   > > > > >
   > > > > > Go here.
<font color=brown>   > > > > > <a style='text-decoration: underline;' href="http://www.wellsfargo.com/</font" target="_blank">http://www.wellsfargo.com/</font</a>>
   > > > > >
   > > > > > When you sign on you are not on a secure page. Therefore your
 > userid
   > > > and
   > > > > > password are not secure.
   > > > > > Sure, they send you to a SSL page, but that is after you have sent
 > your
   > > > > > userid and password over the net.
   > > > > >
   > > > > > Am I wrong?
   > > > > >
   > > > > >
   > > > >
   > > > ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: secure site ? NoT! 

SSL operates at a lower level than HTTP. SSL is used to encrypt the HTTP
traffic.

So, when you wish to request an SSL secured page (either via a GET request,
or via a POST request) the SSL handshake occurs first, then the HTTP
POST/GET request happens (with the posted data being encrypted)

Cheers
Ken

"Jeff Clark" <JeffC.TakeThisOut@NO_SPAMreturnventures.com> wrote in message
news:%23aJzX9dlDHA.744@tk2msftngp13.phx.gbl...
: Yes i know it posts to a secure site.
: But the info is unsecured until it reaches that site. However it sounds
: like i am wrong
:
: "Ohaya" <ohaya.TakeThisOut@cox.net> wrote in message
: news:Oq6vXgalDHA.2328@TK2MSFTNGP10.phx.gbl...
: > Jeff,
: >
: > I think that if you look at that page (Right click -> View Source),
you'll
: > find that clicking on the Sign On causes a POST to:
: >
: > https://online.wellsfargo.com/
: >
: > Since the POST is being done to an https:, that link will be
SSL-secured.
: >
: >
: >
: > "Jeff Clark" <JeffC.TakeThisOut@NO_SPAMreturnventures.com> wrote in message
: > news:unJPyUYlDHA.988@TK2MSFTNGP10.phx.gbl...
: > > oops.
: > >
: > > Go here.
: > > http://www.wellsfargo.com/
: > >
: > > When you sign on you are not on a secure page. Therefore your userid
: and
: > > password are not secure.
: > > Sure, they send you to a SSL page, but that is after you have sent
your
: > > userid and password over the net.
: > >
: > > Am I wrong?
: > >
: > >
: >
: >
:
:
 >> Stay informed about: secure site ? NoT! 

ok , yes I see that even with bullet proof night googles.
Thanks.


"Ohaya" <ohaya DeleteThis @cox.net> wrote in message news:3F9229BA.4CF1B960@cox.net...
 > Jeff,
 >
 > Ahh. Analogies!!
 >
 > Following on your post, the point that I think that you're not
 > understanding (no sarcasm intended) is that because the POST is going to
 > an HTTPS URL, this turns your Dodge Colt INTO AN ARMORED CAR (in your
 > analogy), so that your money is then secure.
 >
 > If you look at the beginning of the SSL handshake/protocol, NONE of the
 > data that you entered (your username and password) is sent in the clear,
 > i.e., it is encrypted and secure.
 >
 >
 > In case you're wondering, if the POST URL was to an HTTP URL (rather
 > than to an HTTPS URL), then the entire session would be in the clear,
 > and then your username and password would be unsecure.
 >
 >
 >
 >
 >
 >
 >
 > Jeff Clark wrote:
  > >
  > > Hey i understand your misunderstanding. And I beleive you are right and
I
  > > am wrong, although I don't understand the microsoft article.
  > >
  > > Since you asked , here is what I was thinking:
  > >
  > > I want my money to be in the Wells Fargo Armored Bank because it is
secure
  > > like SSL.
  > >
  > > If I have to drive my money in my Dodge Colt of a browser just to get it
to
  > > the secure SSL armored bank, then, for at least a few moments the money
was
  > > not secure.
  > >
  > > I have to send my unencrypted password and username across the unsecure
net
  > > just to hit the secure site.
  > > During that brief ride the data was not secure.
  > >
  > > OR so it would seem, but i see i need not worry. But I don't know why
except
  > > to say there is secure handshake this, secure handshake that going on
  > > between the target server and my broswer
  > >
  > > Thanks!!
  > >
  > > "Ohaya" <ohaya DeleteThis @cox.net> wrote in message
news:3F9206DE.12F4FE7A@cox.net...
   > > > Jeff,
   > > >
   > > > I know you're wrong ( - just kidding!), but I'm still kind of
confused
   > > > about why you thought you were right.
   > > >
   > > > I've gone back and re-read your original post, and I still don't
   > > > understand your concern. The way that this works is:
   > > >
<font color=brown>   > > > 1) you got to the original <a style='text-decoration: underline;' href="http://www.wellsfargo.com</font" target="_blank">http://www.wellsfargo.com</font</a>>
   > > > 2) <a style='text-decoration: underline;' href="http://www.wellsfargo.com" target="_blank">www.wellsfargo.com</a> serves an HTML page using HTTP (i.e., the served
   > > > page is not encrypted when it is served)
   > > > 3) User types his/her username and password into the text boxes on the
   > > > served page, then clicks "> Sign on" button
<font color=brown>   > > > 4) Browser makes an SSL connection to <a style='text-decoration: underline;' href="https://online.wellsfargo.com,</font" target="_blank">https://online.wellsfargo.com,</font</a>>
   > > > then once this SECURE, ENCRYPTED connection is established, the
browser
   > > > sends the username and password (does the POST) to the site. This
data
   > > > is sent over the SECURE, ENCRYPTED connection.
   > > >
   > > >
   > > > So, per above, when the username and password are sent to the host,
this
   > > > is done over a SECURE, ENCRYPTED SSL connection, so I don't understand
   > > > "But the info is unsecured until it reaches that site." part of your
   > > > post below.
   > > >
   > > > What am I misunderstanding here??
   > > >
   > > >
   > > >
   > > >
   > > > Jeff Clark wrote:
   > > > >
   > > > > Yes i know it posts to a secure site.
   > > > > But the info is unsecured until it reaches that site. However it
sounds
   > > > > like i am wrong
   > > > >
   > > > > "Ohaya" <ohaya DeleteThis @cox.net> wrote in message
   > > > > news:Oq6vXgalDHA.2328@TK2MSFTNGP10.phx.gbl...
   > > > > > Jeff,
   > > > > >
   > > > > > I think that if you look at that page (Right click -> View
Source),
  > > you'll
   > > > > > find that clicking on the Sign On causes a POST to:
   > > > > >
<font color=brown>   > > > > > <a style='text-decoration: underline;' href="https://online.wellsfargo.com/</font" target="_blank">https://online.wellsfargo.com/</font</a>>
   > > > > >
   > > > > > Since the POST is being done to an https:, that link will be
  > > SSL-secured.
   > > > > >
   > > > > >
   > > > > >
   > > > > > "Jeff Clark" <JeffC DeleteThis @NO_SPAMreturnventures.com> wrote in message
   > > > > > news:unJPyUYlDHA.988@TK2MSFTNGP10.phx.gbl...
   > > > > > > oops.
   > > > > > >
   > > > > > > Go here.
<font color=brown>   > > > > > > <a style='text-decoration: underline;' href="http://www.wellsfargo.com/</font" target="_blank">http://www.wellsfargo.com/</font</a>>
   > > > > > >
   > > > > > > When you sign on you are not on a secure page. Therefore your
  > > userid
   > > > > and
   > > > > > > password are not secure.
   > > > > > > Sure, they send you to a SSL page, but that is after you have
sent
  > > your
   > > > > > > userid and password over the net.
   > > > > > >
   > > > > > > Am I wrong?
   > > > > > >
   > > > > > >
   > > > > >
   > > > > ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: secure site ? NoT!