WebApp Sec mailing list archives
Re: Should login pages be protected by SSL?
From: <bluewizard83-de4gahsh () yahoo com>
Date: Mon, 20 Jun 2005 23:28:14 -0700 (PDT)
-- Amir Herzberg <herzbea () macs biu ac il> wrote:
Here is a simple question: should web login forms be always protected by SSL?
Let me check to see if I understand what you are asking. Do you mean something like: login form at http://www.site.org/login.html with a login form that submits to something like https://secure.site.org/auth.cgi? In my opinion the login form doesn't need to be protected with SSL, but the form MUST submit to a SSL protected page if there is any data of any value being transmitted. I don't see how adding SSL to the form page directly increases security or results directly in any vulnerability. I am by not an expert though.
As a crypto/security expert, my answer is yes. I think this is necessary, to protect against MITM attacks, as well as from the more common and easy phishing, pharming, and other forms of spoofing attacks,
I don't see how SSL-protecting the login form would protect you from MITM attacks if the form is submitting to a SSL protected page. The main issue in my opinion is that unprotected forms makes it impossible to properly educate users aboute what a 'secure' versus non-secure site is. For example it is impossible for me tell my clients that they should only login to sites with the padalock displayed by the the browser when the login page at their bank doen't show up as being SSL protected until after the users has clicked the login button. I am like you though. I think the login forms should be protected as well. If only because it helps users know what forms are and are not SSL-protected. Chris
Current thread:
- Rephrased: Should login pages be protected by SSL - although it won'thelp most users?, (continued)
- Rephrased: Should login pages be protected by SSL - although it won'thelp most users? Amir Herzberg (Jun 23)
- Re: [summary] Re: Should login pages be protected by SSL? Devdas Bhagat (Jun 23)
- Re: [summary] Re: Should login pages be protected by SSL? Michael Silk (Jun 23)
- Re: [summary] Re: Should login pages be protected by SSL? Wolfgang Reder (Jun 24)
- Re: [summary] Re: Should login pages be protected by SSL? Michael Silk (Jun 24)
- Re: Should login pages be protected by SSL? Dave Ockwell-Jenner (Jun 22)
- Re: Should login pages be protected by SSL? Achim Hoffmann (Jun 23)
- RE: Should login pages be protected by SSL? Glenn Euloth (Jun 21)
- Re: Should login pages be protected by SSL? Peter Watkins (Jun 21)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Saqib Ali (Jun 21)
- Re: Should login pages be protected by SSL? Ian Rogers (Jun 21)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Achim Hoffmann (Jun 21)