1 Reply Latest reply on Sep 4, 2010 3:17 PM by ezRAD.com

    Why is https POST inside of http a security concern?

    ezRAD.com

      Could someone please explain to me why submitting a secure POST inside of a non-secure web page is a security concern?

       

      For example, http://www.ezrad.com is my web page and Adobe Flex application.  When you click on "Register" and then "Join", "Buy Credits" and then "Submit" or "Cash Out" and then "Submit", why is it a problem to do the "Join" and "Submit" POSTs securely?  I don't want to have to host the entire application via my https://www.ezrad.com secure web server.  This would slow it down and create an unnecessary load on my server.  I don't need every .swf and every .jpg encrypted using SSL.  I only need the sensitive data encrypted when submitted to or returned from the server.  Why is Adobe Flex forcing me to encrypt everything or encrypt nothing?

       

      I agree that it would be a security issue to allow it in the reverse.  If https://www.ezrad.com was allowed to POST via http://www.ezrad.com requests, that would be a problem.  You would be leaving the user with the impression that it is secure but the application would be submitting non-secure requests.  That is not what I am asking.  If the browser is showing http://www.ezrad.com and selectively submitting secure requests for the data sensitive parts of the application, why is this a problem?  It reminds me of older versions of Internet Explorer that warned you when data was being sent securely.  This is absurd.  It didn't warn you that practically everything that you do on the Internet is not secure.  It came up with an intimating message telling you to "be careful, what you are about to submit is going to be secure".  Non-sense, completely backwards.  Is there a way around this?  Thank you!!