I was accessing an webmail server that uses outlook web access and shows a padlock and digital certificate. What I got surprised is that I was able to capture the password and username with a sniffer (cain).

Wasn't it supposed to encrypt the password before sending it to the network?

I'm not experienced but I'm trying to understand how those certicates work.


It doesn't encrypt the data, it just encrypts the traffic transferred over port 443. If your running this on the local machine, it already has access to one side of the trusted relationship, and isn't a valid test, trying to do network sniffing on the same subnet from a different machine would be a better test for this situation.

thanks for the reply, blud!

I didnt mention it but I used the infamous ARP poisoning to capture the traffic from the other machine (the one that was accessing the e-mail service).

Unfortunately I don't know enough about OWA to go into details about how it secures data, but it does seem odd that you were able to sniff the username/password sent to the SSL Encrypted site on a machine that doesn't have the private key.

it is possible that the key was used to only verify the site isn't a phishing site, but the communication didn't require encryption