Security Basics mailing list archives
Re: SSL over http instead of https
From: Nick Owen <nickowen () mindspring com>
Date: Tue, 08 Apr 2008 10:32:04 -0400
winsoc wrote:
Hi list, I recently reviewed a web hosting provider, and made the assumption that due to them not having https that they were not running SSL on their login screens- therefore exposing credentials in cleartext. However after reviewing the packets it became apparent that when you entered the credentials, there was in fact a ssl handshake and the data was in fact encrypted via sslv3. Is there any logical reasoning for this- it would appear they use a IISwebserver for this purpose.
Are the using Javascript to encrypt the credentials? Some banks do that... -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication irc.freenode.net: #wikid
Current thread:
- SSL over http instead of https winsoc (Apr 07)
- RE: SSL over http instead of https Depp, Dennis M. (Apr 08)
- Re: SSL over http instead of https Ger Apeldoorn (Apr 08)
- Re: SSL over http instead of https Nick Owen (Apr 08)