On Wed, 30 Nov 2005 23:52:52 -0800, traveler
wrote:

>On Tue, 29 Nov 2005 11:12:05 -0600, Proteus
>wrote:
>
>>I am told by people in charge at the campus where I teach that this login
>>page is secure, that the form login info (username, password) is secure
>>when sent. But the browser page (Firefox, Mandriva Linux) info says the
>>page is not encrypted, not secure. Can someone clarify how such a login
>>page can securely transmit the login info? Link to login page is below:
>>http://www.lsc.edu/Online/VirtualCampusLogin.cfm
>
>Some times the page has to be opened in a new window to see the actual
>encrypted (SSL) page, but it all depends on how the set up is made, if
>you open in a new window and you don't see the SSL, I wouldn't trust
>it.

Its badly designed as although it is secure, it does not look that way
to the user.
--
Jim Watt
http://www.gibnet.com

traveler writes:

>On Tue, 29 Nov 2005 11:12:05 -0600, Proteus
>wrote:

>>I am told by people in charge at the campus where I teach that this login
>>page is secure, that the form login info (username, password) is secure
>>when sent. But the browser page (Firefox, Mandriva Linux) info says the
>>page is not encrypted, not secure. Can someone clarify how such a login
>>page can securely transmit the login info? Link to login page is below:
>>http://www.lsc.edu/Online/VirtualCampusLogin.cfm

>Some times the page has to be opened in a new window to see the actual
>encrypted (SSL) page, but it all depends on how the set up is made, if
>you open in a new window and you don't see the SSL, I wouldn't trust
>it.

Here is the line

width="250"> action="https://lsc.ims.mnscu.edu/d2l/Tools/login/doLogin.asp"
method="post" name="processLogonForm">
for="userName">Username:   name="userName" size="10"/>

for="password">Password:    name="password" size="10" type="password"/>

type="submit"/>

href="login.cfm">having problems?

(all one line in the original). I do not know if the data gets sent to
that https://lsc.ims.mnscu.edu/d2l/Tools/login/doLogin.asp page before of after https is invoked.


>Regards
>>

"Unruh" wrote in message
news:dmnav9$t7u$2@nntp.itservices.ubc.ca

> Here is the line
>
> > width="250"> > action="https://lsc.ims.mnscu.edu/d2l/Tools/login/doLogin.asp"
> method="post" name="processLogonForm">
> for="userName">Username:   > name="userName" size="10"/>

> for="password">Password:    > id="password"
> name="password" size="10" type="password"/>

> name="Login" type="submit"/>

> class="toplinks"> > href="login.cfm">having problems?

>
>

> (all one line in the original). I do not know if the data gets sent
> to that https://lsc.ims.mnscu.edu/d2l/Tools/login/doLogin.asp
> page before of after https is invoked.

Ethereal shows quite plainly that the data are sent after the https (SSL) is
invoked, but the data are NOT (repeat NOT) encrypted. They are sent as clear
text userName/password to port 443 of the https server.

On 2005-12-01, Jim Watt wrote:
> On Wed, 30 Nov 2005 23:52:52 -0800, traveler
> wrote:
>
>>On Tue, 29 Nov 2005 11:12:05 -0600, Proteus
>>wrote:
>>
>>>I am told by people in charge at the campus where I teach that this login
>>>page is secure, that the form login info (username, password) is secure
>>>when sent. But the browser page (Firefox, Mandriva Linux) info says the
>>>page is not encrypted, not secure. Can someone clarify how such a login
>>>page can securely transmit the login info? Link to login page is below:
>>>http://www.lsc.edu/Online/VirtualCampusLogin.cfm
>>
>>Some times the page has to be opened in a new window to see the actual
>>encrypted (SSL) page, but it all depends on how the set up is made, if
>>you open in a new window and you don't see the SSL, I wouldn't trust
>>it.
>
> Its badly designed as although it is secure, it does not look that way
> to the user.

Could https://lsc.ims.mnscu.edu/ be used as an alternative and would
that be safer?

--
-!-