Jeffrey F. Bloss wrote:
> Dr Balwinder Singh Dheeman wrote:
>> Proteus wrote:
>>> I am told by people in charge at the campus where I teach that this
>>> login page is secure, that the form login info (username, password) is
>>> secure when sent. But the browser page (Firefox, Mandriva Linux) info
>>> says the page is not encrypted, not secure. Can someone clarify how such
>>> a login page can securely transmit the login info? Link to login page is
>>> below: http://www.lsc.edu/Online/VirtualCampusLogin.cfm
> Just to clarify, the login form is built this way...
>
> <form action="https://lsc.ims.mnscu.edu/d2l/Tools/login/doLogin.asp"
> method="post" ... >
>
> doLogin.asp is essentially a bit of JavaScript that does this among other
> things...
>
> form.action = 'https://lsc.ims.mnscu.edu';
> [...]
> form.submit();
>
> A secure connection is negotiated before any form data is submitted, so
> nothing but the form and the login script is sent in the clear, to the
> site's visitor. No names or passwords or anything go back the other way
> unencrypted.

Thank you for the explanation, and thanks to Proteus for
brining it up. This is something I've wondered about for
a long time.

I used snort to capture the session, and saw that port 443
quickly came into play, and saw something resembling a
certificate go past ("$Equifax Secure Certificate Authority0...0504211"),
and noted that my "bait" username and password did not
appear in the clear.

--
Peter Pearson
To get my email address, substitute:
nowhere -> spamcop, invalid -> net