I was accessing an webmail server that uses outlook web access and shows a padlock and digital certificate. What I got surprised is that I was able to capture the password and username with a sniffer (cain).

Wasn't it supposed to encrypt the password before sending it to the network?

I'm not experienced but I'm trying to understand how those certicates work.


9 Years
Discussion Span
Last Post by DimaYasny

It doesn't encrypt the data, it just encrypts the traffic transferred over port 443. If your running this on the local machine, it already has access to one side of the trusted relationship, and isn't a valid test, trying to do network sniffing on the same subnet from a different machine would be a better test for this situation.


thanks for the reply, blud!

I didnt mention it but I used the infamous ARP poisoning to capture the traffic from the other machine (the one that was accessing the e-mail service).


Unfortunately I don't know enough about OWA to go into details about how it secures data, but it does seem odd that you were able to sniff the username/password sent to the SSL Encrypted site on a machine that doesn't have the private key.


it is possible that the key was used to only verify the site isn't a phishing site, but the communication didn't require encryption

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.