<<< Date Index >>>     <<< Thread Index >>>

ssl-login-checkbox faked in Lycos webmail-frontend



Lycos Webmail offers a checkbox named "SSL LOGIN" which let you assume a secure 
transfer of your credentials - it's only pretended! Repeatedly sniffs shows 
account and password in cleartext - no https-packet came across...
The interesting part of the relating http-packet:

...
login=dasbinich&hiddenlogin=Nutzername&hiddenpassword=******&password=geheim000&ssl=on
HTTP/1.0 302 Found
Date: Thu, 25 Aug 2005 17:51:48 GMT
Content-Length: 63
Content-Type: text/html
Expires: Fri, 26 Aug 2005 17:51:48 GMT
Cache-Control: max-age=86400, private
Proxy-Connection: keep-alive Server: Apache/1.3.33 (Unix) Resin/2.1.12 
mod_gzip/1.3.26.1a mod_ssl/2.8.22 OpenSSL/0.9.6c

...and so on. Funny, isn't it? Or poor!

Lycos informed in july 27.

greetings - fish