webdoctor - 9:02 pm on May 17, 2006 (gmt 0)

I thought there was some "handshaking" that went on between the client and server and to authenticate keys/certificates

But the empty form coming from the site to your browser, ready to be filled in, has no sensitive information in it, and so there's no actual need to secure it.

You only need to secure the POSTed (or GETed) response on its way from your browser back to the server, since this contains the sensitive information.

Remember, the empty form could have come from a completely different source - it could even be stored locally on your hard drive. You could enter the values and them SUBMIT them to a server over SSL. This is why you always validate user input on the server not on the client - it's too easy to get round validation if it's client-side.

I should point out that it's pretty odd not to secure the initial form, but there *is* a significant load associated with setting up a SSL connection.