WebApp Sec mailing list archives

Re: Should login pages be protected by SSL?

From: Amir Herzberg <herzbea () macs biu ac il>
Date: Wed, 22 Jun 2005 08:26:19 +0200

Steve Shah wrote:

On Tue, Jun 21, 2005 at 12:07:34PM +0200, Amir Herzberg wrote:
experts really agree here, but since some of the companies object, I aminterested to see if there are some serious defenses of the unprotectedlogin practice.
Even with my security hat on, I'd be pressed to justify the load of an
encrypted login for a content site that just needs to identify me to
extract some marketing data from their logs.

There may be some argument even in this case (privacy, tendency of usersto use same passwords, ...). But this was _not_ my intent. I may nothave been clear, but I am interested in sensitive sites - financial,shopping, security (CA, DNS, SSO, Portals, etc.). As you can see in my`Hall of Shame` http://AmirHerzberg.com/shame.html, many of these don'tuse SSL to authenticate the login page, only to encrypt the password(when using a correct login page).

So, the real question I'm asking: should login pages to sensitive (e.g.financial) sites be protected by SSL?


--
Best regards,

Amir Herzberg

Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com

New: see my Hall Of Shame of Unprotected Login pages:http://AmirHerzberg.com/shame.html

Current thread:

Should login pages be protected by SSL? Amir Herzberg (Jun 20)
- Re: Should login pages be protected by SSL? Andrew van der Stock (Jun 20)
  - Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
    - Re: Should login pages be protected by SSL? Andrew van der Stock (Jun 21)
    - Re: Should login pages be protected by SSL? (and comment to moderator) Amir Herzberg (Jun 21)
    - Re: Should login pages be protected by SSL? (and comment to moderator) Andrew van der Stock (Jun 21)
    - Re: PCI standards & Should login pages be protected by SSL? Peter Watkins (Jun 21)
    - RE: PCI standards & Should login pages be protected by SSL? Lyal Collins (Jun 22)
    - Re: Should login pages be protected by SSL? (and comment to moderator) Amir Herzberg (Jun 21)
    - Re: Should login pages be protected by SSL? Steve Shah (Jun 21)
    - Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
    - [summary] Re: Should login pages be protected by SSL? Steve Shah (Jun 22)
    - Re: [summary] Re: Should login pages be protected by SSL? Ole Kasper Olsen (Jun 23)
    - Rephrased: Should login pages be protected by SSL - although it won'thelp most users? Amir Herzberg (Jun 23)
    - Re: [summary] Re: Should login pages be protected by SSL? Devdas Bhagat (Jun 23)
    - Re: [summary] Re: Should login pages be protected by SSL? Michael Silk (Jun 23)
    - Re: [summary] Re: Should login pages be protected by SSL? Wolfgang Reder (Jun 24)
    - Re: [summary] Re: Should login pages be protected by SSL? Michael Silk (Jun 24)
    - Re: Should login pages be protected by SSL? Dave Ockwell-Jenner (Jun 22)
    - Re: Should login pages be protected by SSL? Achim Hoffmann (Jun 23)
- Re: Should login pages be protected by SSL? Michael Silk (Jun 20)

(Thread continues...)