How do I tell if a form is secure?
The main ingredient of a secure form is the resource that receives the data. So the actual form that contains the fields you fill in need not be secure, but where it submits to must be secure for the transaction to be secure.
To find out if the form is secure do the following:
- View the source of the page and look at the form action attribute - this must start with https://
- If not, and there is no http:// preface, then the protocol is the same as the current page.
- Check the url of the form (not necessarily the same as the location URL in the case of frames), this must be https://
If none of the above conditions are met, then the form on this page is not secure - its contents will travel across the internet unencrypted, and its details visible.
However, even if the connection from your browser to the webserver is secure, there is no guarantee that your data is secure on the backend. The number of websites that use a bog-standard formmail script to email your data to an email address is staggering.