WebApp Sec mailing list archives
RE: Should login pages be protected by SSL?
From: Simon Zuckerbraun <szucker () sst-pr-1 com>
Date: Tue, 28 Jun 2005 01:21:24 -0500
Actually, there's at least one scenario in which remote sniffing is pretty likely: at a Wi-Fi hotspot. Traffic not encrypted with SSL can often get sniffed without difficulty. In this scenario, SSL encryption provides a huge benefit.
<soapbox>I'd like to add another point. Some may disagree and I'm open to debate on this matter. In a world without SSL, it would be easy to glean lots of sensitive user information by hacking into local ISPs and sniffing traffic. The whole reason that hackers aren't into doing this is that everything that's even mildly sensitive goes through SSL tunnels, so hacking the ISP yields very little. But if we all stopped using SSL, "Joe ISP" would become quite an attractive target, and it would become commonplace for arbitrary intermediate network nodes to get attacked. Personally I'm glad I don't have to worry whether or not my ISP is properly secured.
</soapbox> Simon
-----Original Message----- From: Michael Tsentsarevsky[mailto:michael.t () zahav net il] Sent: Monday, June 27, 2005 4:18 AM To: webappsec () securityfocus com Subject: RE: Should login pages beprotected by SSL? The only benefit of SSL as I see it today is the ability to protect a private transaction, by creating an encrypted tunnel - browser to server. This is a good protection in an enterprise environment where there is a chance of another employee sniffing the user's connection. As a fact remote sniffing of data is almost impossible, unless you gain control of the user's computer, the server or a network device between the two. In the first two scenarios (client or server owning) you have the information already - no need for sniffing. The third scenario (network device in the middle) is very unlikely to happen. SSL is the same HTTP, just encapsulated in an encrypted tunnel - nothing more, nothing less.
Current thread:
- RE: Should login pages be protected by SSL?, (continued)
- RE: Should login pages be protected by SSL? Lyal Collins (Jun 27)
- RE: Should login pages be protected by SSL? dave kleiman (Jun 27)
- Re: Should login pages be protected by SSL? warnings (Jun 28)
- Re: Should login pages be protected by SSL? Saqib Ali (Jun 27)
- RE: Should login pages be protected by SSL? Ernest Nelson (Jun 27)
- Re: Should login pages be protected by SSL? Lucas Holt (Jun 30)
- Re: Should login pages be protected by SSL? Saqib Ali (Jun 30)