Rephrased: Should login pages be protected by SSL - although it won'thelp most users?

[Amir Herzberg <herzbea () macs biu ac il>]

Ole Kasper Olsen wrote:
...
> > Amir Herzberg asked the question of "should login pages be SSL encrypted".
> > The flurry of discussion can be summerized as "Yes"...
> ...
> > 2. Most people believe that a login page *should* be encrypted
> >   for web sites carrying important data. (e.g., financial, etc.)
And many such sites are not protected, see `Hall of Shame` (link below)
> Encryption is not the point. Authentication is. A login page will
> never contain sensitive data anyway and as long as the form is
> submitted to a secure server, the data is encrypted just fine. A
> problem arises when a customer is tricked into entering credentials at
> an a bogus site.
Absolutely.
> SSL/TLS has decent capability for providing authentication, however
> the sad truth is (as Michael Silk noted) that a vast majority of
> surfers do not understand nor read certificates. People don't even
> look at the URL (many (probably very successful) scams just rely on a
> semi-decent-looking link which points to an IP address).

This is correct, given the current security indicators in browsers; I 
even have some empirical data to support this (but it is also common 
sense). However, the use of SSL may help _some_ users:
-- The few users who carefully check the URL, padlock, certificate
-- Users who install browsers/extensions providing improved 
security/identification indicators such as our TrustBar

People in favor of unprotected login pages (mostly people in charge of 
them?) claim that both users groups above are negligible and do not 
justify using SSL.

I disagree; for example, TrustBar is available thru multiple sites, and 
I have statistics only from http://addons.mozilla.org, and there I have 
over 25000 downloads. BTW this site also allows user feedback, which you 
are encouraged to leave, I read it carefully and I believe our next 
release will in fact take care of almost all concerns raised by users.

And of course there are other improved security indicators solutions 
such as Netcraft, TrustToolBar (although I don't like their privacy 
invasion and overhead).

This situation is also not helping convince browser folks to add the 
improved security UI to the browser (so I can get rid of developing 
TrustBar... have some other research projects to take care of!)
--
Best regards,

Amir Herzberg

Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com
Hall Of Shame of Unprotected Login pages: http://AmirHerzberg.com/shame.htm