DesktopTwo Insecure, Sends Username and Password in Clear Text
The online desktop (or “webtop”) DesktopTwo Beta, although easy to use and has lots of features, does not encrypt the authentication process, and therefore offers no real data security.
One of the first things a user should know to look for when making any sort of web transaction, is the lock icon in their browser. 
When signing up for an account, or logging into the account once it has been created on DesktopTwo, the user should notice that the icon is not present. As long as someone has access to your network, they can capture a packet using a free tool such as Wireshark and discover your user name and password. This could be especially bad if the user has the habit of using the
same password for all their different accounts. The image to the right shows how easy it is too see what the user id and the password are.
Considering that one of the main uses of a ‘webtop’ is that it is usable in different remote locations, the issue of security is raised even higher. Until a decent level of encryption of both the authentication process, and the entire session is established, DesktopTwo is more likely to cause more damage to users than be of any actual use.
Our whole home page now uses 256-bit encryption between our server and the user’s browser. It’s secure.
Oscar Mondragón
28 May 07 at 10:06 am
Not to be a pain, but just FYI there is still a minor hole. The http->https redirect from the home page doesn’t catch this deep link.
Ian Brandt
14 Jun 07 at 5:15 pm