WebApp Sec mailing list archives
[summary] Re: Should login pages be protected by SSL?
From: Steve Shah <sshah () risingedge org>
Date: Wed, 22 Jun 2005 05:35:01 -0700
Amir Herzberg asked the question of "should login pages be SSL encrypted". The flurry of discussion can be summerized as "Yes" with the following details: 1. SSL generates a lot of load. A site administrator should be concerned over this. 1a. SSL load for a sufficiently large enough site (read: a site with budget) can be addressed with SSL accelerators. 2. Most people believe that a login page *should* be encrypted for web sites carrying important data. (e.g., financial, etc.) 3. A few exceptions were raised for sites that don't carry valuable data (e.g., newspaper sites) since the additional load created by SSL does not justify the asset that is being protected. 3a. The concern over users using the same login/password combination was raised. In an unsecured wireless environment, not using SSL means that even if the site operator is trustworthy enough not use the login for personal gain, someone sniffing packets might. 3b. It was universally agreed that user education for effective usage of passwords is necessary. 4. If a site does use SSL, it is important to use SSLv3 or better. Apache and most SSL accelerators (ergo, I suspect most other web servers as well) can be configured to redirect users to a special landing page if they are using an older version of SSL. The landing page can provide instructions on how to upgrade your browser. Many financial institutions do this. 5. The current reality is that most content sites that are not protecting a valuable asset do not use SSL to protect their users. 6. You can find Amir's Hall of Shame for sites that should (but don't) use SSL for access at http://AmirHerzberg.com/shame.html -- Steve Shah sshah () RisingEdge org
Current thread:
- Re: Should login pages be protected by SSL?, (continued)
- Re: Should login pages be protected by SSL? Andrew van der Stock (Jun 20)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Andrew van der Stock (Jun 21)
- Re: Should login pages be protected by SSL? (and comment to moderator) Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? (and comment to moderator) Andrew van der Stock (Jun 21)
- Re: PCI standards & Should login pages be protected by SSL? Peter Watkins (Jun 21)
- RE: PCI standards & Should login pages be protected by SSL? Lyal Collins (Jun 22)
- Re: Should login pages be protected by SSL? (and comment to moderator) Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Andrew van der Stock (Jun 20)
- Re: Should login pages be protected by SSL? Steve Shah (Jun 21)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- [summary] Re: Should login pages be protected by SSL? Steve Shah (Jun 22)
- Re: [summary] Re: Should login pages be protected by SSL? Ole Kasper Olsen (Jun 23)
- Rephrased: Should login pages be protected by SSL - although it won'thelp most users? Amir Herzberg (Jun 23)
- Re: [summary] Re: Should login pages be protected by SSL? Devdas Bhagat (Jun 23)
- Re: [summary] Re: Should login pages be protected by SSL? Michael Silk (Jun 23)
- Re: [summary] Re: Should login pages be protected by SSL? Wolfgang Reder (Jun 24)
- Re: [summary] Re: Should login pages be protected by SSL? Michael Silk (Jun 24)
- Re: Should login pages be protected by SSL? Dave Ockwell-Jenner (Jun 22)
- Re: Should login pages be protected by SSL? Achim Hoffmann (Jun 23)