WebApp Sec mailing list archives
RE: Should login pages be protected by SSL?
From: "Lyal Collins" <lyal.collins () key2it com au>
Date: Mon, 27 Jun 2005 23:10:00 +1000
Not sure on Thawte costs. Its my understand that some AV products don't inspect HTTP contents under all circumstances - e.g. when the content stays in memory, not written to disk. Often, browsers do not cache HTTPS content, thus the disk-based AV control never sees the malware content until after the infection has occurred. Other common AV products never (in my experience) look at HTTP content at any time - but maybe those products have been updated in recent months. Finally, in my experience, few people have AV, spyware and firewall tools. Those who have separately purchased/licensed such products may be protected, but the majority are not protected. If I wanted to get spyware inside a business' network, I'd do it through a SSL tunnel. Lyal -----Original Message----- From: dave kleiman [mailto:dave () isecureu com] Sent: Monday, 27 June 2005 4:13 PM To: webappsec () securityfocus com Cc: 'Lyal Collins' Subject: RE: Should login pages be protected by SSL?
At present it is an excellent layer of protection and encryption for the individual transaction. It is the only common well known one we have. There are a few companies that make products to add layers of protection to the SSL. The Certs are only about $150 not $2000. [LC] In Australia, Verisign SGC certs are about A$1750 or ~$1400US
Well a SGC is $450 here, I was not aware of the rip-off over there, how about Thawte? http://www.thawte.com/buy/index.html
2. IDS are network security devices that can intercept hackers that are trying to manipulate data on a web site (sometimes at least). Using SSL will render the IDS useless, because it will notbe able tointercept hacking patterns against the site - as the data will be encrypted. That will enable the hacker to do his biddingwithout fear. You might want to do a little research here, on how to use your particular IDS/IPS with SSL (SSL Accelerator etc.) or find one that has that feature available. [LC] I'd love to see more products/packages with this capability too.
Any external SSL Accelerator will decrypt prior to the server.
Using SSL is sometimes good, but not in all cases.Could you give us an example of when it would be bad to use SSL instead of no encryption at all? [LC] Linking unsuspecting users to a HTTPS web page, via the HTTP link deception process of your choice, that's loaded with infecting Trojans and bypass the Proxy/malware sweeper, IDS/IPS and some browser AV plugins. Maybe a bit far fetched, but possible in seconds flat. Lyal
Once it hits the machine, it is decrypted, therefore your AV, spyware etc. is going to detect it. Unless you are suggesting that it stores an encrypted virus on your system, well I guess I would be safe as long as do not decrypt it? Of course I should be asleep right now, so if I make a delusional statement, please forgive me.
Current thread:
- Re: Should login pages be protected by SSL?, (continued)
- Re: Should login pages be protected by SSL? Yanglei (Jun 26)
- Re: Should login pages be protected by SSL? Michael Silk (Jun 26)
- RE: Should login pages be protected by SSL? dave kleiman (Jun 26)
- RE: Should login pages be protected by SSL? Lyal Collins (Jun 27)
- RE: Should login pages be protected by SSL? dave kleiman (Jun 27)
- Re: Should login pages be protected by SSL? warnings (Jun 28)
- Re: Should login pages be protected by SSL? Yanglei (Jun 26)
- Re: Should login pages be protected by SSL? Saqib Ali (Jun 27)
- RE: Should login pages be protected by SSL? Ernest Nelson (Jun 27)
- Re: Should login pages be protected by SSL? Lucas Holt (Jun 30)
- Re: Should login pages be protected by SSL? Saqib Ali (Jun 30)