On 2000-09-07, Gary Algier <[EMAIL PROTECTED]> wrote: > The posts will go via SSL, however, I don't like interfaces setup > this way to supply any sensitive information. One dot-com I was > considering buying from did this and I was entering my credit card > information and looked at the current page and saw that it was not > secure so (rather than doing a view-source and reading the HTML) I > used the telephone to order. Checking later I realized I would > have been OK. Not necessarily. Besides simply being bad form, and bad for user/consumer confidence, there certainly is a good reason for input-form pages to be served via SSL (and verified by the browser...). Who's to say that your ISP wasn't being DNS-cache-poisoned for insecure.example.com, and the order form at http://insecure.example.com/ (which specified where to POST to) wasn't being spoofed? Paranoia is good. You did the right thing. ;) -- Hank Leininger <[EMAIL PROTECTED]> [ Or someone claiming to be him. ] ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]