RE: Should login pages be protected by SSL?

["Lyal Collins" <lyal.collins () key2it com au>]

Not sure on Thawte costs.

Its my understand that some AV products don't inspect HTTP contents  under
all circumstances - e.g. when the content stays in memory, not written to
disk.  Often, browsers do not cache HTTPS content, thus the disk-based AV
control never sees the malware content until after the infection has
occurred.  Other common AV products never (in my experience) look at HTTP
content at any time - but maybe those products have been updated in recent
months.

Finally, in my experience, few people have AV, spyware and firewall tools.
Those who have separately purchased/licensed such products may be protected,
but the majority are not protected.  If I wanted to get spyware inside a
business' network, I'd do it through a SSL tunnel.

Lyal


-----Original Message-----
From: dave kleiman [mailto:dave () isecureu com] 
Sent: Monday, 27 June 2005 4:13 PM
To: webappsec () securityfocus com
Cc: 'Lyal Collins'
Subject: RE: Should login pages be protected by SSL? 


> At present it is an excellent layer of protection and encryption for 
> the individual transaction. It is the only common well known one
> we have. There
> are a few companies that make products to add layers of
> protection to the
> SSL. The Certs are only about $150 not $2000.
>
> [LC]
> In Australia, Verisign SGC certs are about A$1750 or ~$1400US


Well a SGC is $450 here, I was not aware of the rip-off over there, how
about Thawte? http://www.thawte.com/buy/index.html




> > 2. IDS are network security devices that can intercept hackers that 
> > are trying to manipulate data on a web site (sometimes at least). 
> > Using SSL will render the IDS useless, because it will not
> be able to
> > intercept hacking patterns against the site - as the data will be 
> > encrypted. That will enable the hacker to do his bidding
> without fear.
>
> You might want to do a little research here, on how to use your 
> particular IDS/IPS with SSL (SSL Accelerator etc.) or find one that 
> has that feature
> available.
>
> [LC] I'd love to see more products/packages with this capability too.


Any external SSL Accelerator will decrypt prior to the server.


> > Using SSL is sometimes good, but not in all cases.
>
> Could you give us an example of when it would be bad to use SSL 
> instead of no encryption at all?
>
> [LC] Linking unsuspecting users to a HTTPS web page, via the HTTP link 
> deception process of your choice, that's  loaded with infecting 
> Trojans and bypass the Proxy/malware sweeper, IDS/IPS and some browser 
> AV plugins. Maybe
> a bit far fetched, but possible in seconds flat.
> Lyal


Once it hits the machine, it is decrypted, therefore your AV, spyware etc.
is going to detect it. Unless you are suggesting that it stores an encrypted
virus on your system, well I guess I would be safe as long as do not decrypt
it?

Of course I should be asleep right now, so if I make a delusional statement,
please forgive me.