WebApp Sec mailing list archives

Re: Should login pages be protected by SSL?

From: Dave Ockwell-Jenner <doj () solar-nexus com>
Date: Wed, 22 Jun 2005 07:05:09 -0400

From a purely non-technical viewpoint: it may be a good idea for thelogin page to be protected by SSL if for no other reason that having thebrowser show the "padlock" symbol. It's something that non-technical,non-web developer people can see and (somewhat) understand. Since theyare typing their password on a page, that's what many associate with -"I'm not entering my password here, I don't see the padlock".


Amir Herzberg wrote:

There may be some argument even in this case (privacy, tendency ofusers to use same passwords, ...). But this was _not_ my intent. I maynot have been clear, but I am interested in sensitive sites -financial, shopping, security (CA, DNS, SSO, Portals, etc.). As youcan see in my `Hall of Shame` http://AmirHerzberg.com/shame.html, manyof these don't use SSL to authenticate the login page, only to encryptthe password (when using a correct login page).
So, the real question I'm asking: should login pages to sensitive(e.g. financial) sites be protected by SSL?



--
Dave Ockwell-Jenner
Solar Nexus Solutions
http://www.solar-nexus.com/

Current thread:

Re: Should login pages be protected by SSL? (and comment to moderator), (continued)
- - - Re: Should login pages be protected by SSL? (and comment to moderator) Amir Herzberg (Jun 21)
    - Re: Should login pages be protected by SSL? Steve Shah (Jun 21)
    - Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
    - [summary] Re: Should login pages be protected by SSL? Steve Shah (Jun 22)
    - Re: [summary] Re: Should login pages be protected by SSL? Ole Kasper Olsen (Jun 23)
    - Rephrased: Should login pages be protected by SSL - although it won'thelp most users? Amir Herzberg (Jun 23)
    - Re: [summary] Re: Should login pages be protected by SSL? Devdas Bhagat (Jun 23)
    - Re: [summary] Re: Should login pages be protected by SSL? Michael Silk (Jun 23)
    - Re: [summary] Re: Should login pages be protected by SSL? Wolfgang Reder (Jun 24)
    - Re: [summary] Re: Should login pages be protected by SSL? Michael Silk (Jun 24)
    - Re: Should login pages be protected by SSL? Dave Ockwell-Jenner (Jun 22)
    - Re: Should login pages be protected by SSL? Achim Hoffmann (Jun 23)
- Re: Should login pages be protected by SSL? Michael Silk (Jun 20)
- Re: Should login pages be protected by SSL? Andy bentley (Jun 20)
  - RE: Should login pages be protected by SSL? Glenn Euloth (Jun 21)
- Re: Should login pages be protected by SSL? bluewizard83-de4gahsh (Jun 21)
  - Re: Should login pages be protected by SSL? Peter Watkins (Jun 21)
- Re: Should login pages be protected by SSL? Kalyan Varma (Jun 21)
- Re: Should login pages be protected by SSL? Stefano Di Paola (Jun 21)
- Re: Should login pages be protected by SSL? Saqib Ali (Jun 21)
- Message not available
  - Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)

(Thread continues...)