Is a POST from HTTP to HTTPS secure?

I have a HTTP page with a form. If I set the action to a HTTPS page, is the request secure? Does the browser process all the data before it sends it to the net? Or should I use HTTPS for my entire开发者_JS百科 site?

Yes, it'll be secure if the location your form is posting to is HTTPS.

Users, however, may freak out that there's no lock icon in their browser on the page with the form. You may be better off from a usability standpoint having both pages be HTTPS.

No. Troy Hunt identifies a simple man-in-the-middle attack that shows that posting from HTTP to HTTPS is by no means secure. With the proliferation of free WiFi this attack would be very simple to execute.

http://www.troyhunt.com/2013/05/your-login-form-posts-to-https-but-you.html

Yes. As long as the request that needs to be secure is https, you're good.

That being said, many key sites, including gmail, have stopped bothering carving off small sections of their site to be https and just made their whole site https. It's easier and safer, and you lose little in the way of performance.

Dont do it!

Consider a MITM attack where an attacker sitting on the wire somewhere between the server and client modifies the login form before it reaches the client. The login form now includes a keylogger or points the POST action to a phishing page instead of the authentic server. There is no warning or UI cue for the end-user, so they go ahead and submit the form.

Consider a MITM attack that involves the attacker deploying a "free Wifi" at a coffee shop (via a smartphone hotspot or whatever). When unsuspecting people use this "free Wifi" to login with an HTTP form, even though it does a POST to HTTPS, the attacker can see the user's plaintext credentials by analyzing their hotspot network traffic.

References:

• TLS and SSL in the real world
• SSL Strip
• Your login form posts to HTTPS, but you blew it when you loaded it over HTTP
• Is it secure to submit from a HTTP form to HTTPS?

The actual data transfer from your form to the server is encrypted when posting over HTTPS. If that is what you mean by secure, then yes, it is secure.

I think what you are getting at in your question is, what about client-side stuff reading the form prior to post. That is certainly possible, HTTPS or not.

On another note though, you should probably use HTTPS for the actual form. Some browsers warn users as their posts are redirected over the HTTP/HTTPS boundary. Plus, I don't think your users will be happy filling out a form where there is no secure icon showing.

If you set action to HTTPS this will indeed be secure. Before anything can happen over HTTPS a handshake has to occur, and the browser sending the data will have to do this when the action occurs.