WebApp Sec mailing list archives
RE: Should login pages be protected by SSL?
From: maburns () safenet-inc com
Date: Mon, 20 Jun 2005 17:03:47 -0700
Amazon does use SSL when you are sending the transaction with your credit card data info the browser padlock comes up and HTTP"s" confirms you are in a SSL encrypted tunnel from your desktop to their server -----Original Message----- From: Andrew van der Stock [mailto:vanderaj () greebo net] Sent: Monday, June 20, 2005 4:42 PM To: herzbea () macs biu ac il Cc: webappsec () securityfocus com Subject: Re: Should login pages be protected by SSL? Depends on the value of the system in use. I help develop forum software, and millions of people use forum software without SSL every day. In fact, most forum software have a password equivalent cookie which can lead to complete compromise from cookie stealing, and yet most users will not give up the convenience of auto login. OTOH, where the login leads to private data, such as your name and address, I feel that corporations have a duty of care to protect your data under the various privacy acts around the world. The cost of a certificate is much less than potential litigation, or more to the point, reputation loss if someone discovers a way around it. However, if it's a shopping cart type of thing, like Amazon, the thing that should be SSL is not the browsing of goods, but the transactions, particularly the credit card and address details. The Visa/MC PCI guidelines are quite stringent on applying reasonable controls to this data. In the case of Amazon 1-click, then effectively the 1-click is the thing requiring protection, so some form of control around that is also required. So if you're allowed to browse and add items without SSL (ie you're using some form of password analog in the cookie), then as soon as you're about to see some private data, my view is that re-authentication and completing the transaction over SSL should be required. Going SSL may not necessarily help with CSRF attacks. If the corp has COBIT requirements (ie they're using COBIT to do SOX), then you might have better luck; grab COBIT and see what controls should have been applied. That usually focuses their attention, particularly if the application forms part of their financial systems. Lastly, if SSL is not used the entire time, then the "Secure" option of the cookie cannot be used. This is a weakening of an already weak control, but people shouldn't throw it away to just to save a few bucks on a certificate. Andrew On 21/06/2005, at 2:20 AM, Amir Herzberg wrote:
Here is a simple question: should web login forms be always protected by SSL?
Current thread:
- Re: Should login pages be protected by SSL?, (continued)
- Re: Should login pages be protected by SSL? bluewizard83-de4gahsh (Jun 21)
- Re: Should login pages be protected by SSL? Peter Watkins (Jun 21)
- Re: Should login pages be protected by SSL? Kalyan Varma (Jun 21)
- Re: Should login pages be protected by SSL? Stefano Di Paola (Jun 21)
- Re: Should login pages be protected by SSL? Saqib Ali (Jun 21)
- Message not available
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Saqib Ali (Jun 21)
- Re: Should login pages be protected by SSL? Ian Rogers (Jun 21)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Achim Hoffmann (Jun 21)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? bluewizard83-de4gahsh (Jun 21)
- RE: Should login pages be protected by SSL? maburns (Jun 20)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Torsten Mueller (Jun 21)
- RE: Should login pages be protected by SSL? Almerindo Graziano (Jun 21)
- Webapp-level protection/detection of Pharming attacks WebAppSecurity [Technicalinfo.net] (Jun 21)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Steve Shah (Jun 21)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Steve Shah (Jun 21)