Home page logo

basics logo Security Basics mailing list archives

Re: SSL over http instead of https
From: Nick Owen <nickowen () mindspring com>
Date: Tue, 08 Apr 2008 10:32:04 -0400

winsoc wrote:
Hi list,
I recently reviewed a web hosting provider, and made the assumption that due
to them not having https that they were not running SSL on their login
screens- therefore exposing credentials in cleartext.
However after reviewing the packets it became apparent that when you entered
the credentials, there was in fact a ssl handshake and the data was in fact
encrypted via sslv3.
Is there any logical reasoning for this- it would appear they use a IIS
webserver for this purpose.

Are the using Javascript to encrypt the credentials?  Some banks do that...

Nick Owen
WiKID Systems, Inc.
Commercial/Open Source Two-Factor Authentication
irc.freenode.net: #wikid

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]