WebApp Sec mailing list archives
Re: [summary] Re: Should login pages be protected by SSL?
From: Michael Silk <michaelslists () gmail com>
Date: Fri, 24 Jun 2005 11:09:42 +1000
If the login form is itself protected by https, then the bar for a phish is raised to getting a certificate for that domain. With a plain text login page, the bar for attacking is much lower.
No, it isn't. You need to realise no-one cares about certificates. No-one cares. Nobody. ... No-one ! And trying to _make_ them care (via TrustBar and others) doesn't seem like a great idea to me; as their trust in a system like that can be exploited also. -- Michael
Current thread:
- Re: Should login pages be protected by SSL? (and comment to moderator), (continued)
- Re: Should login pages be protected by SSL? (and comment to moderator) Andrew van der Stock (Jun 21)
- Re: PCI standards & Should login pages be protected by SSL? Peter Watkins (Jun 21)
- RE: PCI standards & Should login pages be protected by SSL? Lyal Collins (Jun 22)
- Re: Should login pages be protected by SSL? (and comment to moderator) Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Steve Shah (Jun 21)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- [summary] Re: Should login pages be protected by SSL? Steve Shah (Jun 22)
- Re: [summary] Re: Should login pages be protected by SSL? Ole Kasper Olsen (Jun 23)
- Rephrased: Should login pages be protected by SSL - although it won'thelp most users? Amir Herzberg (Jun 23)
- Re: [summary] Re: Should login pages be protected by SSL? Devdas Bhagat (Jun 23)
- Re: [summary] Re: Should login pages be protected by SSL? Michael Silk (Jun 23)
- Re: [summary] Re: Should login pages be protected by SSL? Wolfgang Reder (Jun 24)
- Re: [summary] Re: Should login pages be protected by SSL? Michael Silk (Jun 24)
- Re: Should login pages be protected by SSL? Dave Ockwell-Jenner (Jun 22)
- Re: Should login pages be protected by SSL? Achim Hoffmann (Jun 23)
- RE: Should login pages be protected by SSL? Glenn Euloth (Jun 21)
- Re: Should login pages be protected by SSL? Peter Watkins (Jun 21)