The question is I am considering using an online service that bills credit cards for the service they provide. The site is an online gallery service that requires you create a password and to login prior to joining as a member, once you join you can update the account setting and pay using a credit card. The address for the credit card form is an https address but the lock symbol does not appear in the corner of the browser..so is that important or less important than the https designation?

Are you sure there's no lock icon to the right of the address bar?

Yes am sure.


Are you sure there's no lock icon to the right of the address bar?

I don't know what browser you're using. The security icon display may differ. On Firefox it only shows when the entire page is encrypted.

However, the provider must pay for that to happen, so many opt to only encrypt the data that is sent from you to the website. The displayed page content is not encrypted.

When this occurs, the security icon will usually not be displayed.

If the URL begins with https: then you are in fact using the secure connection protocol.

Use of public key encryption costs money. The provider (website) must pay each time encrypted data is sent either direction.

- Leigh

Use of public key encryption costs money. The provider (website) must pay each time encrypted data is sent either direction.
Not exactly... You pay for the certificate itself—encrypting the data is free.

But Leigh is right—if you're seeing "https://" then the site is indeed encrypted.

If it says "https" the transmission is encoded with a security certificate, and
I think most browsers will warn you if the server's security certificate is fishy, e.g. doesn't seem to jibe with the server's address.

...Mike

Not exactly... You pay for the certificate itself—encrypting the data is free.
Well, sort of.

Certificates are available in different "volume" levels, i.e. light, moderate, or heavy, depending on how much traffic you expect. It's based on the number of times the cert is queried. That happens each time an encrypted transmission is made from either end of the connection. One way to reduce that count is to send outbound traffic (the web page) in the clear and only encrypt the response.

I used to work for one of the companies in that business. We had a number of different tiers available, depending on the client's requirements. If the traffic for a given client exceeded the permitted level, the cert would show up as "not validated" until they ponied up more $$.

At least that's how it worked a few years ago. Things may have changed.

- Leigh

The question is I am considering using an online service that bills credit cards for the service they provide. The site is an online gallery service that requires you create a password and to login prior to joining as a member, once you join you can update the account setting and pay using a credit card. The address for the credit card form is an https address but the lock symbol does not appear in the corner of the browser..so is that important or less important than the https designation?

It's the destination of the form that is more important than the page the form is on.

If when you submit the form it ends up on a https page then the data will have been encrypted on the way through.

Of course, if you are trying to convince people to use the form, it may be better to get that on a https page as well if possible (although it will make no difference in security in any way).

Tim

You won't get the lock icon if some inline items (usually images) on the page aren't being transmitted in https. This doesn't mean it's not encrypted it just means the entire page isn't encrypted. Take a look at the source of the page and look for images that are hard coded to go to an "http://" address. Those need to be changed to local links or absolute "https://" addresses.

Thats what I like about this forum "LF" , for the most part everyone polite and when you need knowledge lots of help to be had. Thanks Guys :)