Re: Is .NET Passport credential traffic secure?

From: *Vanguard* (no-email_at_post-reply-in-newsgroup.invalid)
Date: 03/07/04 

Date: Sun, 7 Mar 2004 14:14:48 -0600

"Stan" said in news:OKdE%23YGBEHA.640@TK2MSFTNGP09.phx.gbl:
> When visiting web sites that prompt for a .NET Passport username and
> password (hotmail.com, ebay.com, etc.), are the credentials
> transmitted in encrypted format? I don't always see the padlock
> symbol; if I do see the padlock symbol, it appears only momentarily,
> *after* I press the Submit button.

Why would you see a padlock? Your Passport account information is not
coming from YOU. It has already been stored and is online, so a
Passport-enabled provider gets the info from your account, not from you.

When you sign into a Passport-enabled web site, and because they don't
know yet if you are really a Passport user (since they obviously don't
want to turn away sales from non-Passport users), make sure that site
uses an SSL secured (HTTPS) login page so your username and password get
sent encrypted. The padlock should appear when the page is presented
where you enter your username and password. Some sites try to use a
program to handle the submitted data and then send it elsehwere
encrypted but it still got sent in plain text from you to their server
that runs that program. If you don't see a padlock (i.e., you are on an
HTTPS web page) then I wouldn't consider the login as secure. You need
to establish the SSL connect BEFORE you submit your data.

Quantcast