WebApp Sec mailing list archives
RE: Should login pages be protected by SSL?
From: "Asaf Wexler" <Asaf.Wexler () breach com>
Date: Fri, 1 Jul 2005 11:59:09 -0400
Hi, <Shameless Plug> Sorry for answering late, but since you wrote you'd "love to see more products/packages with this capability too" I have to mention that any IDS can have visibility into the SSL traffic today. One IDS vendor has this capability implemented internally, and any other IDS can use an SSL passive decryption device, an example of such would be BreachView SSL (which I was responsible for implementing). </Shameless Plug> Plugs aside, it appears that the majority of answers so far has been that protecting the login page itself with SSL is better than not doing so (when possible, of course). The only guess that was made at why someone would choose _not_ to protect the login page, is when the login page is not really a "page" but a login box as part of the first page of a site. Other than that, I'm not sure performance considerations should play a part here, as you would like the form action itself to be SSL protected, so one page more is not that big a change. What I would like to know, then, is *why* so many sites (and the examples in Amir's "Hall of Shame" are impressive - BoA, SmithBarney) choose _not_ to protect the login page with SSL. Is it only poor security awareness, or are there other viable considerations for this behavior? Asaf Wexler, Project Manager, R&D Breach Security, Inc. -----Original Message----- From: Michael Gargiullo [mailto:mgargiullo () pvtpt com] Sent: Monday, June 27, 2005 5:49 PM To: Lyal Collins; dave kleiman; webappsec () securityfocus com Subject: RE: Should login pages be protected by SSL? Comments Inline.
-----Original Message----- From: Michael Tsentsarevsky [mailto:michael.t () zahav net il]
1. I am sorry to say, but the SSL protocol had become a "security stamp" for a web site. That is' if the site's owner had spent the 2k bucks for a certificate, most of the users will think the web site is "secured" (talk about users education). In real life nothing is farther from the truth!
At present it is an excellent layer of protection and encryption for the individual transaction. It is the only common well known one we have. There are a few companies that make products to add layers of protection to the SSL. The Certs are only about $150 not $2000. [LC] In Australia, Verisign SGC certs are about A$1750 or ~$1400US There are other companies other then Verisign (Verisign is the most expensive on the market)
SSL secured sites are leaking user and company information and SSL is not the element to protect against it. Good coding and proper site configuration and architecture are the key for E-commerce security.
Yes that is true and this is ultimately important, probably even more than SSL, but definitely not instead of!!
2. IDS are network security devices that can intercept hackers that are trying to manipulate data on a web site (sometimes at least). Using SSL will render the IDS useless, because it will not be able to intercept hacking patterns against the site - as the data will be encrypted. That will enable the hacker to do his bidding without fear.
You might want to do a little research here, on how to use your particular IDS/IPS with SSL (SSL Accelerator etc.) or find one that has that feature available. [LC] I'd love to see more products/packages with this capability too. IDS - Intrusion Detection, you must be thinking of IPS Intrusion Protection. Neither of which has anything to do with client server protection. You want app protection, check out F5 Networks, AppShield. Awesome device for protecting your network app, but still doesn' address data between the client and server. Education will help.
3. SSL was designed to protect the CLIENT by providing a strong identity of the server. But ... most of the users are not familiar with the concepts of PKI and will override the browser's alerts by pressing "Yes" every time the browser is trying to tell them there is a problem with a site.
Actually SSL was designed to encrypt and protect the transaction between two systems. Proper education is the key to any type of security. If your users are having problems grasping the concept point them to this: http://www.securityfocus.com/archive/105/346322 [LC] Trouble is, which 2 machines? Education shold help here. Users Should look at the certificate, and validate it, butyou know that won't happen.
Using SSL is sometimes good, but not in all cases.
Could you give us an example of when it would be bad to use SSL instead of no encryption at all? [LC] Linking unsuspecting users to a HTTPS web page, via the HTTP link deception process of your choice, that's loaded with infecting Trojans and bypass the Proxy/malware sweeper, IDS/IPS and some browser AV plugins. Maybe a bit far fetched, but possible in seconds flat. Lyal Again, that's an education issue. Https doesn't aid the bad guy in one way or another. ________________________________________________________ Dave Kleiman, CAS, CIFI, CISM, CISSP, ISSAP, ISSMP, MCSE www.SecurityBreachResponse.com www.ComputerForensicInvestigations.com
Current thread:
- RE: Should login pages be protected by SSL? Asaf Wexler (Jul 01)