Security Basics mailing list archives
Re: SSL over http instead of https
From: Ger Apeldoorn <mailinglists () gerapeldoorn nl>
Date: Tue, 08 Apr 2008 07:13:30 +0200
Hi,Sounds like the form is posted using ssl, but the page with the login boxes is not secure.
This seems safe, except that you cannot verify that the login page is the correct one, because it is not verified by the certificate before you fill in your credentials.
Greetings, Ger Apeldoorn winsoc wrote:
Hi list, I recently reviewed a web hosting provider, and made the assumption that due to them not having https that they were not running SSL on their login screens- therefore exposing credentials in cleartext. However after reviewing the packets it became apparent that when you entered the credentials, there was in fact a ssl handshake and the data was in fact encrypted via sslv3. Is there any logical reasoning for this- it would appear they use a IISwebserver for this purpose.Cheers
Current thread:
- SSL over http instead of https winsoc (Apr 07)
- RE: SSL over http instead of https Depp, Dennis M. (Apr 08)
- Re: SSL over http instead of https Ger Apeldoorn (Apr 08)
- Re: SSL over http instead of https Nick Owen (Apr 08)