HTTPS and SSL in practice
So when you see a web address that starts https that means it's secure. You should expect this from any website that captures or displays personal details, bank details and so on.
Greenwich university has a problem with their student portal, and it doesn't work in IE9, so their helpdesk recommends you download Firefox.
However, when using Firefox, the certificate fails verification because of some issue with their SSL certificate and it comes up with a big warning saying this connection is untrusted.
If you ring up the university helpdesk they will recommend you simply accept the invalid certificate. DON'T.
I wonder how long they've been telling students that it's OK to accept invalid certificates. They'll remember this advice. I guess this means Greenwich students are quite easy to hack. Sorry Greenwich, you're a seat of learning. You provide many IT degrees. You should know that this matters. It's really not acceptable to advise people do this.
They only need to say this once to a hacker, and they will be able to use this psychological information to fairly reliably hijack and/or inspect all browser traffic between students and the university for a number of years, potentially stealing the identities of students, passport details, bank details, passwords etc.
You don't need a password to proxy an SSL connection IF the end user accepts your spoof certificate. You can then easily log ALL information SENT OR RECEIVED by the unsuspecting web user.
I am teling you because you should know that it matters, and the university should know that, with some urgency, their students need to be told to NEVER do this.
Jesus
