Home page logo

basics logo Security Basics mailing list archives

Re: SSL over http instead of https
From: Ger Apeldoorn <mailinglists () gerapeldoorn nl>
Date: Tue, 08 Apr 2008 07:13:30 +0200


Sounds like the form is posted using ssl, but the page with the login boxes is not secure.

This seems safe, except that you cannot verify that the login page is the correct one, because it is not verified by the certificate before you fill in your credentials.


Ger Apeldoorn

winsoc wrote:
Hi list,
I recently reviewed a web hosting provider, and made the assumption that due
to them not having https that they were not running SSL on their login
screens- therefore exposing credentials in cleartext.
However after reviewing the packets it became apparent that when you entered
the credentials, there was in fact a ssl handshake and the data was in fact
encrypted via sslv3.
Is there any logical reasoning for this- it would appear they use a IIS
webserver for this purpose.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]