WebApp Sec mailing list archives

Re: Should login pages be protected by SSL?

From: Amir Herzberg <herzbea () macs biu ac il>
Date: Tue, 21 Jun 2005 11:50:45 +0200

maburns () safenet-inc com wrote:

The login page cannot be protected by SSL until after the authentication is
complete. Once the user is authenticated then all information sent between
the server and remote user is in a ssl encrypted tunnel until the session is

ended.

This may be a bit misleading to readers not sufficiently familiar withSSL, so let me clarify. The SSL tunnel is established using the server'scertificate (and optionally- and rarely used - using client'scertificate). All traffic, including user authentication if using cookieor password, is inside the tunnel.

--
Best regards,

Amir Herzberg

Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com

New: see my Hall Of Shame of Unprotected Login pages:http://AmirHerzberg.com/shame.html

Current thread:

Re: Should login pages be protected by SSL?, (continued)
- - - Re: Should login pages be protected by SSL? Ian Rogers (Jun 21)
    - Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
    - Re: Should login pages be protected by SSL? Achim Hoffmann (Jun 21)
- RE: Should login pages be protected by SSL? maburns (Jun 20)
  - Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
    - Re: Should login pages be protected by SSL? Torsten Mueller (Jun 21)
    - RE: Should login pages be protected by SSL? Almerindo Graziano (Jun 21)
    - Webapp-level protection/detection of Pharming attacks WebAppSecurity [Technicalinfo.net] (Jun 21)
- RE: Should login pages be protected by SSL? maburns (Jun 20)
  - Re: Should login pages be protected by SSL? Steve Shah (Jun 21)
  - Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- RE: Should login pages be protected by SSL? Cowles, Robert D. (Jun 21)
  - Re: Should login pages be protected by SSL? Steve Shah (Jun 21)
- RE: Should login pages be protected by SSL? Derick Anderson (Jun 21)
- RE: Should login pages be protected by SSL? Cowles, Robert D. (Jun 21)
  - RE: Should login pages be protected by SSL? Glenn Euloth (Jun 22)
- Re: Should login pages be protected by SSL? Bob Radvanovsky (Jun 22)
  - Re: Should login pages be protected by SSL? James Barkley (Jun 23)
  - Re: Should login pages be protected by SSL? Saqib Ali (Jun 23)
    - Re: Should login pages be protected by SSL? Eoin Keary (Jun 24)

(Thread continues...)