Re: [EMAIL PROTECTED] SSL / HTML question

2006-02-06 Thread Joshua Slive
On 2/6/06, Mark McCulligh <[EMAIL PROTECTED]> wrote: > I think I now understanding the attack. They are changing the response > information when the login form is being sent to the user in plain > text. Yep. Joshua. - The offi

Re: [EMAIL PROTECTED] SSL / HTML question

2006-02-06 Thread Mark McCulligh
Joshua Slive wrote: On 2/6/06, Mark McCulligh <[EMAIL PROTECTED]> wrote: This type of attack can be pulled off even if the login form is secured. The attacker just has create a login page that looks like mine and get the user to use it. A lot of users won't realize they are on the wrong web

Re: [EMAIL PROTECTED] SSL / HTML question

2006-02-06 Thread Joshua Slive
On 2/6/06, Mark McCulligh <[EMAIL PROTECTED]> wrote: > > This type of attack can be pulled off even if the login form is secured. > The attacker just has create a login page that looks like mine and get > the user to use it. A lot of users won't realize they are on the wrong > website and the lock

Re: [EMAIL PROTECTED] SSL / HTML question

2006-02-06 Thread Mark McCulligh
Joshua Slive wrote: On 2/6/06, Mark McCulligh <[EMAIL PROTECTED]> wrote: The client should alway be logging in on their website for I hope they reallize if they where not on their website. I'm not sure if you understood or not, but my point was that a man-in-the-middle could make it l

Re: [EMAIL PROTECTED] SSL / HTML question

2006-02-06 Thread Joshua Slive
On 2/6/06, Mark McCulligh <[EMAIL PROTECTED]> wrote: > The client should alway be logging > in on their website for I hope they reallize if they where not on their > website. I'm not sure if you understood or not, but my point was that a man-in-the-middle could make it look exactly like they were

Re: [EMAIL PROTECTED] SSL / HTML question

2006-02-06 Thread Mark McCulligh
Joshua Slive wrote: On 2/6/06, Mark McCulligh <[EMAIL PROTECTED]> wrote: If you have a login html (http://www.ex.com/login.html) where the action is to a https website (https://www.ex2.com/login_script.php). Will the login information be submitted encrypted. Or does the user first have to b

Re: [EMAIL PROTECTED] SSL / HTML question

2006-02-06 Thread Joshua Slive
On 2/6/06, Mark McCulligh <[EMAIL PROTECTED]> wrote: > If you have a login html (http://www.ex.com/login.html) where the > action is to a https website (https://www.ex2.com/login_script.php). > Will the login information be submitted encrypted. Or does the user > first have to be on to the secure

[EMAIL PROTECTED] SSL / HTML question

2006-02-06 Thread Mark McCulligh
If you have a login html (http://www.ex.com/login.html) where the action is to a https website (https://www.ex2.com/login_script.php). Will the login information be submitted encrypted. Or does the user first have to be on to the secure website before loggin in? Just wondering when you go fr