

The Illinois Commerce Commission websites do not use OpenSSL - mercurialshark
http://www.icc.illinois.gov/

======
wglb
Server: Microsofg-IIS/7.0 Set-Cookie: ASP.NET_SessionId=... X-Powered-By:
ASP.NET

Thus, it is SChannel.

And the title is wrong--the site says "Did not use OpenSSL".

~~~
mercurialshark
Indeed. They could clarify rather easily. Not using OpenSSL doesn't imply that
they are secure, nor does it explain what they are using for the non-technical
attorneys on the site...

~~~
ntakasaki
>Not using OpenSSL doesn't imply that they are secure

Uhh, it does mean that they are secure from the HeartBleed bug. I think you're
confused, OpenSSL is a piece of software, SSL is a protocol with multiple
implementations. So it's possible to use SSL without using OpenSSL, hence the
title of this post is completely wrong.

~~~
mercurialshark
I understand your point regarding HeartBleed, the title and SSL. However, does
that make it acceptable to not use some form of SSL on the non-authentication
portion of the site? And are you saying they do?

~~~
wglb
That is a different question. The title as you edited it is _Illinois Gov 't:
Don't Worry, We Never Used SSL To Begin With_

which is very different (and wrong), from _Illinois Gov 't: Don't Worry, We
Never Used OpenSSL To Begin With_.

------
nolok
People seem to be missing that they have a private account part, protected by
ssl, probably for services aimed at business owners. That's the reason for
this notice.

And the author of this thread's title is wrong, the fact that they don't use
OpenSSL does not mean they do not use SSL at all (as proved).

~~~
mercurialshark
As pointed out below, even if you are not authenticating or transmitting data
through sign in, you would still like to know if you are talking to the .gov
site. Also, while they use SSL for authentication, they don't clarify via
banner.

Moreover, the login is for attorneys representing businesses, so there is
potentially even more at stake. Yes, they would like to know they are actually
talking to the .gov site.

------
beat
There are other implementations besides OpenSSL.

~~~
mercurialshark
They could clarify. Besides, it doesn't look like there is any form of SSL
being used. Correct me if I'm wrong.

~~~
ma2rten
consider yourself corrected.

[https://www.google.com/search?q=site%3Awww.icc.illinois.gov+...](https://www.google.com/search?q=site%3Awww.icc.illinois.gov+inurl%3Ahttps)

~~~
mercurialshark
That's just for signing in. Perhaps SSL isn't really necessary unless signing
in, but I would still think it could facilitate malicious script injections.

~~~
nolok
Realize that people who sign in on the "commerce comission" website are
probably business owners who don't want their sign in information (or other
stuff this web site might have from them in their account) to be leaked

------
cjfont
So what? Depending on whether they're simply hosting public information and
there's no need for authentication, why would they need SSL?

~~~
ams6110
Even if I'm not submitting authentication credentials or other sensitive
informtation, if I'm looking up something at a .gov I'd like to be sure I'm
actually talking to the real website.

------
mercurialshark
I stand corrected. My lessor points on only the authentication portion of the
site don't justify the title, that I would correct if I could. Thanks, let's
let this go the way of the Boskop...

------
ChrisGaudreau
Looking around the site, it appears that they do use SSL for parts that
require authentication. They may simply be using a different implementation of
SSL.

------
evidencepi
Is that a joke?

