WebApp Sec mailing list archives
Must we authenticate login forms (using SSL?)?
From: Amir Herzberg <amir.herzberg () gmail com>
Date: Thu, 29 Sep 2005 08:57:09 +0200
mike03051 () yahoo com said:
Amir,Let’s differentiate the issues a bit for clarity. Specifically, let’s
differentiate your Hall of Shame list from
TrustBar features and functions. We should all be able to agree on statements of fact: Both http: and https: (SSL) sites are subject to MITM exploits.
SSL sites may be subject to MITM exploits, but only when users do not check the identity of the subject and issuer in the certificate. Users can validate these identities easily using TrustBar, and in theory even without it. Non-SSL sites (http:) are completely vulnerable to MITM - even the most expert user cannot detect spoofing... except for reading the source code which is clearly not practical... Furthermore, non-SSL sites are subject also to phishing attacks, where the user is tricked into requesting a wrong URL, e.g. from email. Again, SSL sites can be subject to such attack as well, but users are much better protected from it. Without TrustBar, attacker still has to get a cert for the URL from one of the CAs `trusted` by the browser (or trick the user into approving); most attackers simply present a non-SSL site (but some users may notice that). With TrustBar, there is a fair chance for detection even by naive users (noting that they don't get the right logo/name for the site).
I wonder then what is the justification for placing some sites in
your Hall of Shame listing.
It is not unreasonable to view your pages and come to the conclusionthat HOS entries are there because they allow access to login forms
using an HTTP url. Of course.
If that is the case, then I take exception to the prima facia claims
on your site that
These are Hall of Shame. They all submit secure web forms, like any
other secure web site
in the world. Your HOS identified sites are no more (or no less)
susceptible to MITM
than any other site in the world, either.
Well, I guess if you insist, I'll have to change something in my discussions. You may be the first security expert to actually insist on this claim (and that includes experts in companies that have unprotected login sites!). I think I've stated my arguments about as clearly as I can... So if you still disagree, just let me know if you consider yourself a security expert. I'm not saying that your opinion is irrelevant if you are not a security expert, it is just the I want to know if I need to modify my statement (that all security experts I've talked with agreed with non-SSL login sites being worthy of HoS...).
Now as for TrustBar. I have not downloaded or tested TrustBar, so I
cannot vouch for
how well it works, but from the web site it detects HTTPS connections
and attempts to
match the certificate with the url. This helps to read a certificate. One nice touch is the nice logo display for visual verification.Now a question: does it work if the certificate is valid but says
something like
citibank.asecur-e.com? Do your company logo displays from a db or are
they downloaded
from the site?
Of course it `works`, i.e., if you've set Citibank logo to the Citibank site (SSL protected or not) then you'll see if only in the respective Citibank site. Of course, this by itself does not protect users from a MITM attack if the site is unprotected. We are exploring some mechanisms for this, in particular the idea I've been asking this list about which is for sites to digitally sign the pages so they are secure from tampering (even by MITM...). -- Best regards, Amir Herzberg Associate Professor Department of Computer Science Bar Ilan University http://AmirHerzberg.com Try TrustBar - improved browser security UI: http://AmirHerzberg.com/TrustBar Visit my Hall Of Shame of Unprotected Login pages: http://AmirHerzberg.com/shame -- Best regards, Amir Herzberg Associate Professor Department of Computer Science Bar Ilan University http://AmirHerzberg.com Try TrustBar - improved browser security UI: http://AmirHerzberg.com/TrustBar Visit my Hall Of Shame of Unprotected Login pages: http://AmirHerzberg.com/shame
Current thread:
- Must we authenticate login forms (using SSL?)? Amir Herzberg (Sep 28)
- <Possible follow-ups>
- Re: Must we authenticate login forms (using SSL?)? info (Sep 29)
- Re: Must we authenticate login forms (using SSL?)? Antoine Martin (Sep 29)
- RE: Must we authenticate login forms (using SSL?)? Nathaniel S. H. Brown (Sep 29)
- Re: Must we authenticate login forms (using SSL?)? Peter Conrad (Sep 30)
- RE: Must we authenticate login forms (using SSL?)? Nathaniel S. H. Brown (Sep 30)
- Re: Must we authenticate login forms (using SSL?)? Rogan Dawes (Sep 30)
- Re: Must we authenticate login forms (using SSL?)? Antoine Martin (Sep 30)
- Re: Must we authenticate login forms (using SSL?)? Eoin Keary (Sep 30)
- Re: Must we authenticate login forms (using SSL?)? Antoine Martin (Sep 30)
- Re: Must we authenticate login forms (using SSL?)? Antoine Martin (Sep 29)