https on a third party non https site

Question

Let's say there is a third party site not protected under https.

The third party site integrated a javascript call that basically gets a payment form from my site and adds the payment form on the third party site.

The person fills out the payment form which has a form action of "https://example.com/... " where example.com is my site.

Will their information be encrypted even though they are filling out the payment form on a site not https protected, but the form action is https protected.

so basically:

the site that the payment form gets shown in is called http://thirdparty.com/welcome

The payment form has the following form code:

<form name = "payment" action = "https://example.com/process">

this form is being shown on a non-https encrypted site: http://thirdparty.com/welcome and being sent to https://example.com/process

will the information provided in that form be encrypted?

yes it will be encrypted, make sure to mention method="POST" in the fom. — rajesh, Aug 10 '12 at 15:25
possible duplicate: http://stackoverflow.com/questions/274274/is-it-secure-to-submit-from-a-http-form-to-https — Nick Fury, Aug 10 '12 at 15:26

score 1 · Accepted Answer · answered Aug 10 '12 at 15:49

The information they submit will be encrypted when it is sent over HTTP…

… but the page containing the form is insecure, can be intercepted enroute to the client, and can have extra JavaScript added to it. Such JavaScript might copy the payment information they enter to an attacker's server (before it gets encrypted).

So the approach is, overall, not secure.

The user should be directed to a form hosted by your site in a page on your site, and not embedded on a third party site.

https on a third party non https site

1 Answers1