mailing list archives
Re: SSL over http instead of https
From: Ger Apeldoorn <mailinglists () gerapeldoorn nl>
Date: Tue, 08 Apr 2008 07:13:30 +0200
Sounds like the form is posted using ssl, but the page with the login
boxes is not secure.
This seems safe, except that you cannot verify that the login page is
the correct one, because it is not verified by the certificate before
you fill in your credentials.
I recently reviewed a web hosting provider, and made the assumption that due
to them not having https that they were not running SSL on their login
screens- therefore exposing credentials in cleartext.
However after reviewing the packets it became apparent that when you entered
the credentials, there was in fact a ssl handshake and the data was in fact
encrypted via sslv3.
Is there any logical reasoning for this- it would appear they use a IIS
webserver for this purpose.