WebApp Sec mailing list archives
Re: Growing Bad Practice with Login Forms
From: "David Wall @ Yozons, Inc." <dwall () yozons com>
Date: Tue, 27 Jul 2004 19:04:30 -0700
* The difference between a non-SSL and a SSL site should be more visible to the user. SSL-enabled connections should be made to look more important. The small image in the corner does not cut it. I would like to see a red border around the whole browser window. Or a red border until you explicitely choose to trust a site, at which point it changes to green. Something like that.
That's a good idea, though color alone wouldn't suffice.
Also, why not display the contents of a certificate on the screen at all times (e.g. organization name & address).
Another good idea.
* Browsers should remember the public key of a visited server, and compare the stored key with the key received upon the next visit. Just as SSH does.
This is yet another good idea. The beauty is that the first time you visit, you look at the cert details. If someone takes you to a spoof site that you visit all the time (PayPal, Citibank, etc.) and the popup arises, at least you'll look again (even if they just changed their keys). Both Mozilla and IE browsers fail to display the most interesting tidbits (domain name and organization name) on the first click, with Mozilla making the info even less obvious than IE. Requiring that people click on the lock, then click another button to examine the cert is simply asking users to do too much. It needs to be automatic, perhaps with a special SSL-mode display as suggested that shows this info all the time. David
Current thread:
- Growing Bad Practice with Login Forms Mark Curphey (Jul 27)
- Re: Growing Bad Practice with Login Forms Konstantin Ryabitsev (Jul 27)
- Re: Growing Bad Practice with Login Forms Rogan Dawes (Jul 27)
- Re: Growing Bad Practice with Login Forms Devin Heitmueller (Jul 27)
- Re: Growing Bad Practice with Login Forms Konstantin Ryabitsev (Jul 27)
- Re: Growing Bad Practice with Login Forms Ivan Ristic (Jul 27)
- Re: Growing Bad Practice with Login Forms David Wall @ Yozons, Inc. (Jul 27)
- Re: Growing Bad Practice with Login Forms Jason Coombs PivX Solutions (Jul 27)
- Re: Growing Bad Practice with Login Forms Ivan Ristic (Jul 28)
- Re: Growing Bad Practice with Login Forms Konstantin Ryabitsev (Jul 27)
- RE: Growing Bad Practice with Login Forms Konstantin Ryabitsev (Jul 27)
- RE: Growing Bad Practice with Login Forms Dan C Crawford (Jul 27)
- successful anonymous login Jose Rivera (Jul 27)
- Re: successful anonymous login Adam Tuliper (Jul 27)
- RE: successful anonymous login Jose Rivera (Jul 27)
- Re: successful anonymous login Adam Tuliper (Jul 27)