WebApp Sec mailing list archives
Re: Growing Bad Practice with Login Forms
From: Rogan Dawes <discard () dawes za net>
Date: Tue, 27 Jul 2004 16:22:33 +0200
Konstantin Ryabitsev wrote:
On Tue, 2004-07-27 at 09:55 -0400, Mark Curphey wrote:But at that point its too late. The check for server authentication is done after I have sent by username and password. This IMHO is a bad practice thathas started to creep into other sites including online banking.Not really. SSL verification is done before the HTTP headers are sent to the server (same reason why you can't have name-based SSL virtual hosting), so if there is SSL cert mismatch, your browser will alert you and if you cancel the connection then, the server won't see any of your data. In fact, presenting the login form on the SSL page won't win you anything, since there is no guarantee that you will submit your data to the same SSL-enabled server than the one that sent you the login form.
Not so. I assume that you trust the holder of the SSL cert that you verified prior to submitting your credentials, otherwise you would not do so ;-)
If they wanted to get your credentials, it is as easy to write an app on their own server, as it is to modify their page to send your credentials to a different server, and a lot less suspicious, too!
Rogan -- Rogan Dawes *ALL* messages to discard () dawes za net will be dropped, and added to my blacklist. Please respond to "lists AT dawes DOT za DOT net"
Current thread:
- Growing Bad Practice with Login Forms Mark Curphey (Jul 27)
- Re: Growing Bad Practice with Login Forms Konstantin Ryabitsev (Jul 27)
- Re: Growing Bad Practice with Login Forms Rogan Dawes (Jul 27)
- Re: Growing Bad Practice with Login Forms Devin Heitmueller (Jul 27)
- Re: Growing Bad Practice with Login Forms Konstantin Ryabitsev (Jul 27)
- Re: Growing Bad Practice with Login Forms Ivan Ristic (Jul 27)
- Re: Growing Bad Practice with Login Forms David Wall @ Yozons, Inc. (Jul 27)
- Re: Growing Bad Practice with Login Forms Jason Coombs PivX Solutions (Jul 27)
- Re: Growing Bad Practice with Login Forms Ivan Ristic (Jul 28)
- Re: Growing Bad Practice with Login Forms Konstantin Ryabitsev (Jul 27)
- RE: Growing Bad Practice with Login Forms Konstantin Ryabitsev (Jul 27)
- RE: Growing Bad Practice with Login Forms Dan C Crawford (Jul 27)