SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
|  reply to coxengr
Re: [ALL] Wash Post criticizes Cox over email security
said by coxengr  :I can confirm this is in the works. Will be forthcoming shortly..... Any updated information to share?
--
"When all else fails, read the instructions..." |
|
coxengr
Premium,VIP
join:2002-03-09
Atlanta, GA | reply to short09
I can confirm this is in the works. Will be forthcoming shortly..... |
|
short09
join:2006-07-21
| reply to NoVA_CoxUser
said by NoVA_CoxUser :And to make matters worse, your "base" e-mail password IS your Cox online account management password!  yup......that makes it twice as easy for a hacker to steal the password.....a hacker could have complete access to a subscribers account if they wanted to |
|
pbvan
join:2003-02-09
Fairfax, VA | reply to NoVA_CoxUser
Thanxs for the link. Your condensed version was great and the link provided further explanation in terms I could understand. |
|
NoVA_CoxUser
Stand back from the cage -- The RF bites
Premium
join:2004-07-06
Alexandria, VA
 ·Cox HSI
4 edits | reply to pbvan
said by pbvan : ... when logging into cox.net, the » https:// page is where I log into for my email accounts. The actual page showing my email boxes is » . I think you might find the explanation provided in the following page helpful: »www.michaelhorowitz.com/securesubmit.html
To summarize:
1) Just because the page where you enter personal info is SSL-secured, doesn't mean that your personal info will be (or won't be) SSL-secured in-transmission when you click "login" ...
... It CAN however give you some assurance that the page which you are viewing is "genuine" if you verify the certificate's name and signing chain -- in other words, just because you have an SSL connection to a site doesn't necessarily mean that it's to the site to which you mean to be SSL-connected.
What IS important is whether the code underlying the "login" button is "http" or "https". (explained in the "Bad News" section in the earlier link)
2) Similarly, just because the "post-login" pages you receive from a site aren't SSL-secured, doesn't necessarily mean that your UID/Password was transmitted "in the clear"
Our own DSLR "SSL Log in" is one such example:
While your actual username/password are SSL-secured when transmitted ... specifically by this section of the page ...
FORM ACTION="https://secure.dslreports.com/r3/login"
Unfortunately, Cox's webmail authentication is only insecure, so regardless of what page you're reaching it from, your username/password is always transmitted "in the clear." |
|
pbvan
join:2003-02-09
Fairfax, VA
| reply to NoVA_CoxUser
NoVa_cox user ..... when logging into cox.net, the »https:// page is where I log into for my email accounts. The actual page showing my email boxes is ». When I want to view my account both login and the page displaying my account info is »https://.
Does this mean that my login info IS secure regardless of my inbox NOT being secure? I don't use my Cox mailbox for anything other than its an active email for those sites that require one that I don't care about.
I have email accounts with earthlink using server port 587. Now are these emails also NOT secure?
I too read the Post article and was somewhat surprised that Cox doesn't use SSL when viewing emails. I know just enough to look for that lock or »https:// when transmitting personal info.
Also I am now using a MacBook Pro using Safari (its ok, better than IE6) and the Mac Mail program now. |
|
NoVA_CoxUser
Stand back from the cage -- The RF bites
Premium
join:2004-07-06
Alexandria, VA
1 edit | reply to Radardan
And to make matters worse, your "base" e-mail password IS your Cox online account management password! |
|
