On Mon, Nov 15, 2010 at 10:29 AM, Vamsee Kanakala <[email protected]>wrote:
> On Monday 15 November 2010 09:13 AM, Manokaran K wrote: > >> On Mon, Nov 15, 2010 at 8:31 AM, Ashish Verma<[email protected]> wrote: >> >> Hi, >>> >>> I want to know if it is possible for someone to gain access to resources >>> if >>> they capture a person's encrypted password. >>> >>> In https, the entire session is encrypted -not the individual fields. So >> you >> cannot see what the password field's value is. >> > > Indeed. But it depends on how long the https encryption is on. Most sites, > Gmail & Facebook included, turn on https only during login. So though the > password etc. are encrypted, but if the user is able to capture the session > cookie (say in a public wi-fi hotspot), he can still impersonate you and can > do whatever he wants. This is the whole premise of the controversial > Firesheep (http://codebutler.com/firesheep). And of course, then you > should also read up about Blacksheep. A few sites like GitHub have gone > fully-https in advent of this. Most of them are yet to, mostly because it > means significant changes to their network infrastructure. > > That said, I'm no security researcher, perhaps somebody with experience in > this domain can give more insights on this. > > > Vamsee. > > _______________________________________________ > ILUGC Mailing List: > http://www.ae.iitm.ac.in/mailman/listinfo/ilugc > Gmail uses https all the time by default, Here<http://mail.google.com/support/bin/answer.py?hl=en&answer=74765> is the gmail help file for https-always _______________________________________________ ILUGC Mailing List: http://www.ae.iitm.ac.in/mailman/listinfo/ilugc
