Aleem Bawany wrote: > Anthony, I still have my doubts though. If the client is the one > posting the data, e.g. a creditcard #, he is posting that data > to a secure page, but the data itself is flowing from the client > (currently over http, hence sending everything in clear text), > to the secure page in "unsecure" mode, because the secure session > has not yet been instantiated. No, it's not, as Seb's very clear explanation shows. All I'll add to this is to suggest that if you really need to *see* this in action, download Ethereal, the open source "sniffer", and watch the traffic as you try these different combinations of secure and insecure connections. Ethereal does a great job of explicitly identifying the certificate exchange, etc. -- very illuminating. -- Hassan Schroeder ----------------------------- hassan at webtuitive.com Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code.