Rediff.com Still sending the clear text password to the server

I was just testing if rediff.com still sends the passwords in clear text. I found that out once in my college days while sniffing the college network. I thought that they might have patched it so today while playing around with gmail's I thought to give Rediff.com a try And see what I found. This is the code from the home page of http://www.rediff.com

Blogger sucks it didn't lemme format my data according to me. Anyway


<br /><br /><form name="loginform" action="http://mail.rediff.com/cgi-bin/login.cgi" method="post"><input type="hidden" value="existing" name="FormName"> </td><br /><td width="80"><span class="f9"><input onblur="if (this.value == '') {this.value='User name'}" style="MARGIN: 0px; WIDTH: 77px; FONT-FAMILY: arial,helvetica,sans-serif; font-class: f9" onfocus="if (this.value =='User name') {this.value = ''}" maxlength="30" size="6" value="User name" name="login"><br /></span></td><br /><td width="85"><input onblur="if (this.value == '') {this.value='Password'}" style="MARGIN: 0px; WIDTH: 77px; FONT-FAMILY: arial,helvetica,sans-serif" onfocus="if (this.value =='Password') {this.value = ''}" type="password" maxlength="30" size="6" value="Password" name="passwd"><br /></td><br /><td width="31"><input type="image" height="19" width="31" src="http://im.rediff.com/uim/mail_go.gif" border="0"><br /></td></form><br />

It must be very clear if you ever read HTML. It just calls the login.cgi and provides the User name and Password in clear text (using POST method).

Look at the Request object your browser is sending


POST /cgi-bin/login.cgi HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://ia.rediff.com/index.html
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)
Host: mail.rediff.com
Content-Length: 60
Proxy-Connection: Keep-Alive
Cookie: Some Cookie string

FormName=existing&login=username&passwd=mypasswords&x=0&y=0


So now anyone who can read your data have your password. It's not that hard to sniff the data. If you are using LAN (using hubs) anyone can read your data. Beaware if you are in a cyber cafe, your neighbour might be reading your emails or may be sending emails to your GF/BF.