WebApp Sec mailing list archives
RE: Should login pages be protected by SSL?
From: "Flanagan, Kevin" <Kevin.Flanagan () bmwfs com>
Date: Wed, 22 Jun 2005 13:23:45 -0400
Hope I've made it past the deadline for this post getting cut off. Everyone has been addressing this from an encryption standpoint, but what haven't seen brought up is the fact that SSL is also providing authentication of the web server. By "securing" that login page using SSL and certificates, the web server is proving to you that it is who it says it is. If you go to amazon.com and the cert is issued for amazon.com, you won't get any cert warnings, and you'll get a nice little lock at the bottom of your page. If you are going to 10.0.0.2 and the cert is for amazon.com, you'll get a cert warning (Grandma will typically click through this, but I on the other hand will look a little deeper). This helps smart people feel secure in that they are not being phished. If you wait until after someone puts their credentials in and clicks the login button, it may be too late. Your password could be compromised (unless you view the source to figure out where your post is going to). SSL provides authentication of the web server AND encryption. A two for one deal if you will... -Kevin -----Original Message----- From: Glenn Euloth [mailto:eulothg () hfx eastlink ca] Sent: Wednesday, June 22, 2005 8:56 AM To: webappsec () securityfocus com Subject: RE: Should login pages be protected by SSL? So, what we're really saying is that the biggest hurdle to decent security is not the technology but the education of the masses who use it. Which means we have to make the security totally transparent to the user or solve the unsolvable problem of user education. With this in mind would it make more sense to develop systems that do not let the user choose their password? This way, they can't use the same password for everything they do on the web. The only problem then is managing the passwords. For a geek like myself, I can figure out how to easily make use of Bruce Schneier's Password Safe or another tool like it and ensure that I have a different password for all my web surfing needs but grandma is going to have a very difficult time with a setup like this. Starts to bring me back to that old programming adage. "Build a system that an idiot can use and only an idiot will want to use it." Regards, Glenn Euloth
There may not be an advantage in breaking into that account but consider that when grandmother registered at the web site she probably picked the same userid and password and password hint as she has at lots of other sites ..And SSL does nothing to mitigate that risk. -Steve -- Steve Shah sshah () RisingEdge orgSSL mitigates the risk of being able to sniff the userid/password from the
unsecured wireless WAPs.
Current thread:
- RE: Should login pages be protected by SSL?, (continued)
- RE: Should login pages be protected by SSL? Cowles, Robert D. (Jun 21)
- Re: Should login pages be protected by SSL? Steve Shah (Jun 21)
- RE: Should login pages be protected by SSL? Derick Anderson (Jun 21)
- RE: Should login pages be protected by SSL? Cowles, Robert D. (Jun 21)
- RE: Should login pages be protected by SSL? Glenn Euloth (Jun 22)
- Re: Should login pages be protected by SSL? Bob Radvanovsky (Jun 22)
- Re: Should login pages be protected by SSL? James Barkley (Jun 23)
- Re: Should login pages be protected by SSL? Saqib Ali (Jun 23)
- Re: Should login pages be protected by SSL? Eoin Keary (Jun 24)
- RE: Should login pages be protected by SSL? Levenglick, Jeff (Jun 23)
- RE: Should login pages be protected by SSL? Flanagan, Kevin (Jun 23)
- RE: Should login pages be protected by SSL? Hellman, Matthew (Jun 24)
- RE: Should login pages be protected by SSL? Hellman, Matthew (Jun 24)
- RE: Should login pages be protected by SSL? Simon Zuckerbraun (Jun 25)
- RE: Should login pages be protected by SSL? bluewizard83-de4gahsh (Jun 27)
- RE: Should login pages be protected by SSL? Michael Tsentsarevsky (Jun 26)
- Re: Should login pages be protected by SSL? Yanglei (Jun 26)
- Re: Should login pages be protected by SSL? Michael Silk (Jun 26)
- RE: Should login pages be protected by SSL? dave kleiman (Jun 26)
- RE: Should login pages be protected by SSL? Lyal Collins (Jun 27)
- RE: Should login pages be protected by SSL? dave kleiman (Jun 27)
- Re: Should login pages be protected by SSL? Yanglei (Jun 26)
- RE: Should login pages be protected by SSL? Cowles, Robert D. (Jun 21)