WebApp Sec mailing list archives
Re: Should login pages be protected by SSL?
From: Dave Ockwell-Jenner <doj () solar-nexus com>
Date: Wed, 22 Jun 2005 07:05:09 -0400
From a purely non-technical viewpoint: it may be a good idea for the login page to be protected by SSL if for no other reason that having the browser show the "padlock" symbol. It's something that non-technical, non-web developer people can see and (somewhat) understand. Since they are typing their password on a page, that's what many associate with - "I'm not entering my password here, I don't see the padlock".
Amir Herzberg wrote:
There may be some argument even in this case (privacy, tendency of users to use same passwords, ...). But this was _not_ my intent. I may not have been clear, but I am interested in sensitive sites - financial, shopping, security (CA, DNS, SSO, Portals, etc.). As you can see in my `Hall of Shame` http://AmirHerzberg.com/shame.html, many of these don't use SSL to authenticate the login page, only to encrypt the password (when using a correct login page).So, the real question I'm asking: should login pages to sensitive (e.g. financial) sites be protected by SSL?
-- Dave Ockwell-Jenner Solar Nexus Solutions http://www.solar-nexus.com/
Current thread:
- Re: Should login pages be protected by SSL? (and comment to moderator), (continued)
- Re: Should login pages be protected by SSL? (and comment to moderator) Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Steve Shah (Jun 21)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- [summary] Re: Should login pages be protected by SSL? Steve Shah (Jun 22)
- Re: [summary] Re: Should login pages be protected by SSL? Ole Kasper Olsen (Jun 23)
- Rephrased: Should login pages be protected by SSL - although it won'thelp most users? Amir Herzberg (Jun 23)
- Re: [summary] Re: Should login pages be protected by SSL? Devdas Bhagat (Jun 23)
- Re: [summary] Re: Should login pages be protected by SSL? Michael Silk (Jun 23)
- Re: [summary] Re: Should login pages be protected by SSL? Wolfgang Reder (Jun 24)
- Re: [summary] Re: Should login pages be protected by SSL? Michael Silk (Jun 24)
- Re: Should login pages be protected by SSL? Dave Ockwell-Jenner (Jun 22)
- Re: Should login pages be protected by SSL? Achim Hoffmann (Jun 23)
- RE: Should login pages be protected by SSL? Glenn Euloth (Jun 21)
- Re: Should login pages be protected by SSL? Peter Watkins (Jun 21)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)