WebApp Sec mailing list archives
RE: Should login pages be protected by SSL?
From: "Michael Tsentsarevsky" <michael.t () zahav net il>
Date: Mon, 27 Jun 2005 12:18:12 +0300
The only benefit of SSL as I see it today is the ability to protect a private transaction, by creating an encrypted tunnel - browser to server. This is a good protection in an enterprise environment where there is a chance of another employee sniffing the user's connection. As a fact remote sniffing of data is almost impossible, unless you gain control of the user's computer, the server or a network device between the two. In the first two scenarios (client or server owning) you have the information already - no need for sniffing. The third scenario (network device in the middle) is very unlikely to happen. SSL is the same HTTP, just encapsulated in an encrypted tunnel - nothing more, nothing less. -----Original Message----- From: dave kleiman [mailto:dave () isecureu com] Sent: Sunday, June 26, 2005 9:08 PM To: webappsec () securityfocus com Subject: RE: Should login pages be protected by SSL? Inline
-----Original Message----- From: Michael Tsentsarevsky [mailto:michael.t () zahav net il]
1. I am sorry to say, but the SSL protocol had become a "security stamp" for a web site. That is' if the site's owner had spent the 2k bucks for a certificate, most of the users will think the web site is "secured" (talk about users education). In real life nothing is farther from the truth!
At present it is an excellent layer of protection and encryption for the individual transaction. It is the only common well known one we have. There are a few companies that make products to add layers of protection to the SSL. The Certs are only about $150 not $2000.
SSL secured sites are leaking user and company information and SSL is not the element to protect against it. Good coding and proper site configuration and architecture are the key for E-commerce security.
Yes that is true and this is ultimately important, probably even more than SSL, but definitely not instead of!!
2. IDS are network security devices that can intercept hackers that are trying to manipulate data on a web site (sometimes at least). Using SSL will render the IDS useless, because it will not be able to intercept hacking patterns against the site - as the data will be encrypted. That will enable the hacker to do his bidding without fear.
You might want to do a little research here, on how to use your particular IDS/IPS with SSL (SSL Accelerator etc.) or find one that has that feature available.
3. SSL was designed to protect the CLIENT by providing a strong identity of the server. But ... most of the users are not familiar with the concepts of PKI and will override the browser's alerts by pressing "Yes" every time the browser is trying to tell them there is a problem with a site.
Actually SSL was designed to encrypt and protect the transaction between two systems. Proper education is the key to any type of security. If your users are having problems grasping the concept point them to this: http://www.securityfocus.com/archive/105/346322
Using SSL is sometimes good, but not in all cases.
Could you give us an example of when it would be bad to use SSL instead of no encryption at all? ________________________________________________________ Dave Kleiman, CAS, CIFI, CISM, CISSP, ISSAP, ISSMP, MCSE www.SecurityBreachResponse.com www.ComputerForensicInvestigations.com
Current thread:
- Re: Should login pages be protected by SSL?, (continued)
- Re: Should login pages be protected by SSL? Michael Silk (Jun 26)
- RE: Should login pages be protected by SSL? dave kleiman (Jun 26)
- RE: Should login pages be protected by SSL? Lyal Collins (Jun 27)
- RE: Should login pages be protected by SSL? dave kleiman (Jun 27)
- Re: Should login pages be protected by SSL? warnings (Jun 28)
- Re: Should login pages be protected by SSL? Saqib Ali (Jun 27)
- RE: Should login pages be protected by SSL? Ernest Nelson (Jun 27)
- Re: Should login pages be protected by SSL? Lucas Holt (Jun 30)
- Re: Should login pages be protected by SSL? Saqib Ali (Jun 30)