RE: SSL over http instead of https
- From: "Depp, Dennis M." <deppdm@xxxxxxxx>
- Date: Mon, 07 Apr 2008 20:42:14 -0400
What kind of authentication are the using. If they are using Windows integrated authentication, then the password is sent encrypted.
-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of winsoc
Sent: Monday, April 07, 2008 3:27 PM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: SSL over http instead of https
Hi list,
I recently reviewed a web hosting provider, and made the assumption that due
to them not having https that they were not running SSL on their login
screens- therefore exposing credentials in cleartext.
However after reviewing the packets it became apparent that when you entered
the credentials, there was in fact a ssl handshake and the data was in fact
encrypted via sslv3.
Is there any logical reasoning for this- it would appear they use a IIS
webserver for this purpose.
Cheers
- References:
- SSL over http instead of https
- From: winsoc
- SSL over http instead of https
- Prev by Date: Re: mirroring cable model traffic
- Next by Date: Tips for CISM
- Previous by thread: SSL over http instead of https
- Next by thread: Re: SSL over http instead of https
- Index(es):
Relevant Pages
|
