WebApp Sec mailing list archives
And the best quote award goes to...
From: "Mark Mcdonald" <m.mcdonald () cgl com au>
Date: Wed, 28 Jul 2004 08:46:13 +0800
"Users are stupid, unpredictable, and applications would function a lot better without their interaction." Priceless :) Mark McDonald | CGL is | web developer -----Original Message----- From: athena () buyukada co uk [mailto:athena () buyukada co uk] Sent: Wednesday, 28 July 2004 7:31 AM To: webappsec () lists securityfocus com Subject: Summary: Growing Bad Practice with Login Forms Ok, just to round things up... There appear to be two camps on this one. In the red corner, we have the guys that say 'SSL only tells you the current page is served over SSL, not the page you're linking to. There's no guarantee the credentials are sent to an SSL server and phishing exploit of the month, XSS etc. could make a user believe that they're submitting to a secure server (as the SSL icon will appear in the status bar of most browsers) when they aren't. Therefore you should submit the credentials over SSL but not necessarily the login page itself.' In the blue corner, weighing in at 419 pounds from bankx.com.ng, the guys that say 'The user doesn't know whether or not the submission will be over SSL to a valid site or not until its too late. At least using SSL for the first page means that the application has control of where the user goes next.' A valid point that serves as an uppercut to team blue is that a user clicking a link can be sent to *any* https site, and the uneducated user will click on the link. Equally so, team red takes one in the jaw by losing the confirmation of integrity of the initial page and can also be *any* http site. Meanwhile Microsoft in the commentary box tells us that the next version of IE and XP SP2 will render all this pointless anyway. Just like real sports pundits, nobody believes them ;) The things that are in common with all of this are: Users are stupid, unpredictable, and applications would function a lot better without their interaction. We all now know that as long as the username and password themselves are sent over SSL to the correct site that the credentials themselves are safe. It is clear that user elimination^Weducation is the key here. In the same way that sites tell users to look for the padlock, they should also be told to verify the certificate before blindly accepting it, and provided with contact details *when they sign up, not when they log in* for someone to call if things go awry. It should be noted that a two-page authentication mechanism or one-time-pad will allow a user to spot attacks with either red or blue's methods - either way the SSL padlock will disappear when the user submits to the attacker's site, and as long as the user knows that they should verify the cert (and how to) then sending the initial request over http is still possible. A mix of policy, technology and ECT is in order here. Another way of fixing this is for the site to authenticate to the user. Just as when banking you may get asked for two letters from your passphrase, the application could give you two characters from it's passphrase to let you know that its the real deal. If the characters don't add up ... you're in trouble. Steve *** DISCLAIMER **** This e-mail and any attachments to it are confidential. If you receive them in error, please tell us immediately and delete them. You must not retain, distribute, disclose or otherwise use any information contained in them. Before opening or using any attachments with this e-mail you should check them for viruses and other defects. The sender does not warrant that they will be free from computer viruses or other defects. ******************* *** DISCLAIMER **** This e-mail and any attachments to it are confidential. If you receive them in error, please tell us immediately and delete them. You must not retain, distribute, disclose or otherwise use any information contained in them. Before opening or using any attachments with this e-mail you should check them for viruses and other defects. The sender does not warrant that they will be free from computer viruses or other defects. *******************
Current thread:
- And the best quote award goes to... Mark Mcdonald (Jul 27)