Re: Growing Bad Practice with Login Forms

[Jason Coombs PivX Solutions <jasonc () science org>]

Ivan Ristic wrote:
>   * Session cookies transmitted over an unencrypted channel
>     should not be allowed over SSL. The same the other way
>     round.

Browsers already differentiate between SSL cookies and non-SSL cookies.

As a result it is often necessary to URL-encode the session identifier, 
at least at transition from non-SSL mode session to SSL-mode session -- 
most sites allow the user to browse for a while without "going secure" 
for a more sensitive step. The scenario that prompted this discussion is 
a good example of this - everyone is welcome to visit the home page 
unencrypted/unauthenticated, and when the user is ready to login the 
FORM POST goes via SSL ... (allegedly, and who knows *where* it was 
supposed to go when in fact it went where it went, wherever that was, 
since the user doesn't know and won't care)

Browsers definitely should get rid of certificate chains as a basis of 
trust. The public key is the only thing that matters, and the only good 
that certificate chains do for us is give us a small increase in 
confidence that the public key we are being offered in fact belongs to 
the organization we think it belongs to... certificate spoofing flaws 
exist that make certificate-based trust mostly a stupid browser trick 
and not a real mechanism for security, but we're stuck with it anyway 
until somebody (me, for example, or you, perhaps) bothers to barge into 
the Mozilla codebase and developer community and bash some heads and 
write some code to make the thing behave properly.

Most Secure Regards,

Jason Coombs
Jcoombs () pivx com