On Monday 15 November 2010 09:13 AM, Manokaran K wrote:
On Mon, Nov 15, 2010 at 8:31 AM, Ashish Verma<[email protected]> wrote:
Hi,
I want to know if it is possible for someone to gain access to resources if
they capture a person's encrypted password.
In https, the entire session is encrypted -not the individual fields. So you
cannot see what the password field's value is.
Indeed. But it depends on how long the https encryption is on. Most
sites, Gmail & Facebook included, turn on https only during login. So
though the password etc. are encrypted, but if the user is able to
capture the session cookie (say in a public wi-fi hotspot), he can still
impersonate you and can do whatever he wants. This is the whole premise
of the controversial Firesheep (http://codebutler.com/firesheep). And of
course, then you should also read up about Blacksheep. A few sites like
GitHub have gone fully-https in advent of this. Most of them are yet to,
mostly because it means significant changes to their network
infrastructure.
That said, I'm no security researcher, perhaps somebody with experience
in this domain can give more insights on this.
Vamsee.
_______________________________________________
ILUGC Mailing List:
http://www.ae.iitm.ac.in/mailman/listinfo/ilugc
