Security Basics mailing list archives
RE: SSL over http instead of https
From: "Depp, Dennis M." <deppdm () ornl gov>
Date: Mon, 07 Apr 2008 20:42:14 -0400
What kind of authentication are the using. If they are using Windows integrated authentication, then the password is sent encrypted. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of winsoc Sent: Monday, April 07, 2008 3:27 PM To: security-basics () securityfocus com Subject: SSL over http instead of https Hi list, I recently reviewed a web hosting provider, and made the assumption that due to them not having https that they were not running SSL on their login screens- therefore exposing credentials in cleartext. However after reviewing the packets it became apparent that when you entered the credentials, there was in fact a ssl handshake and the data was in fact encrypted via sslv3. Is there any logical reasoning for this- it would appear they use a IIS webserver for this purpose. Cheers
Current thread:
- SSL over http instead of https winsoc (Apr 07)
- RE: SSL over http instead of https Depp, Dennis M. (Apr 08)
- Re: SSL over http instead of https Ger Apeldoorn (Apr 08)
- Re: SSL over http instead of https Nick Owen (Apr 08)