I've set up my web server to use SSL (I'm using WAMP for my staging scenario before I move it on up to public servers). The purpose of the site at hand has succeeded and I am able to use the site from remote computers using the HTTPS protocol.
A concern that came up with one of my users (testers) was in regards to the POST data. In his test scenario, he is on-site at one of our potential clients, accessing the site behind their VERY picky corporate firewall (we have already worked out how this site applies to their AUP, and we are clean). He is running the site in FireFox using Firebug to monitor the POST and GET data. The question is here:
In his Firebug window, the POST and Response from the XMLHTTPRequest are coming back in plain text. Is that because he was the one who initiated the secure connection? Will the POST/Response data show up to the network admins or logs?
Please take note that the intent here is not to deceive admins or circumvent policies; this is an application intended for on-site people at various locations that need to transmit sensitive data. Usage will be coordinated with every network infrastructure we encounter.
Best Answer
Yes, POST data should be encrypted. Everything in the HTTP request should be encrypted in an SSL conversation. Firebug gets its info after SSL data has been decrypted by the browser. If you want to ensure, use something like Fiddler or WebScarab as a proxy sitting in between although you might have to play games to get them to play nicely with SSL. Here's a page on how to decrypt HTTPS traffic using Fiddler.