2 comments
Security 
While setting up a mailbox for the whole family I encountered the following:
It looks silly, I started sniffing of course to see what went over the line. It is as safe as it can get. This is what happens:
The validation form is SSL. This is what you see in the network traffic as well: a nice SSL session setup and than only encrypted traffic.
My problem with this way of securing traffic is: how do you ENSURE (as a user) that SSL is kicking in. Security is a thing for ALL parties. I as a user MUST check my part: where do I leave my credentials, and of course the server (company I want to leave my credentials) that they will be secured and not readable in transit. KPN does his part very well here, but they disable My part, because I do not want to go to the source of the website to check whether I am leaving my credentials in the right hands.
Would it help to mail this team?
I hope they will change this, for this may confuse everybody who was made aware of SSL during the last years. Make the whole page use SSL, than it SHOWS that you could leave your credentials here…
2 comments
What about the reverse way? Have a HTTPS-page do NON-HTTPS calls in the background…
ernow
that is even worse… but you are right: that is bad as well.
It should be clear as to whether I leave my credentials in a secure way…
EricD