WebApp Sec mailing list archives
RE: Non SSL Bank Login Forms
From: "James Strassburg" <JStrassburg () directs com>
Date: Fri, 19 May 2006 12:05:19 -0500
This bothers me a great deal too. When my bank first did this I viewed the page source to make sure that the post secure. This is not possible for novice users. Where I work, we train employees on security and part of that training involves teaching them to look for the SSL lock. Afterwards, I usually get a few people asking about their bank's website because there is no lock icon. It seems that more and more banks (and other sites) want the login form on the start page but they don't want SSL there. It seems to me that the way browsers handle SSL notification is a bit flawed. When visiting a page, I really don't care about how the page I'm viewing arrived. I care about how the forms I type information into are going to leave my machine. Instead of the SSL lock icon in browsers, how about doing something similar for the form input boxes. The browser could check the post action for a match to https://.* or check the current connection if the protocol is not specified in the action. The hard part would be manipulating the control in a way that a malicious site (or XSS attack) couldn't also do so using javascript. Perhaps the SSL icon could be accompanied by a warning message (like the certificate warning) when there is any form on the page that will post insecurely. On a somewhat related topic, I'd also like a warning when I'm posting to a different domain. James Strassburg -----Original Message----- From: Andrew van der Stock [mailto:vanderaj () greebo net] Sent: Friday, May 19, 2006 12:19 AM To: wilson.amajohn () gmail com; Webappsec ((((E-mail)))) Subject: Re: Non SSL Bank Login Forms I work at a bank, and I find this frustrating as well. It is not secure from a phishing perspective - it's how the phishers can make their "password reset" forms look realistic as you have an implied trust of the (possibly) real page underneath. Having a SSL based page one level deep is a good security idea and I'm terribly frustrated with banks that don't do that. Luckily, the place I work does this... but for a bad reason. The use a pop up to hide the address bar for no good reason. Luckily, IE 7 prevents this absolutely, so I'm absolutely chuffed. Thank you Microsoft! You helped me win an argument. :) thanks, Andrew On 19/05/2006, at 12:57 AM, wilson.amajohn () gmail com wrote:
Hello all, my question is how can a form have a field that is secure without using SSL. From my web programming experience I cannot understand a Bank's claim that their login form is secure when there is no SSL used. "Signing on to secure sites from an unsecure page is a common industry practice" The POST data has to get to the server if
SSL is not used how can they claim it is secure? I hope I have clarified my question enough Thanks John
------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire named worldwide market share leader in web application security assessment by leading market research firm. Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c --------------------------------------------------------------------------
Current thread:
- Fwd: Non SSL Bank Login Forms, (continued)
- Message not available
- Fwd: Non SSL Bank Login Forms John Kennedy (May 18)
- Message not available
- Fwd: Non SSL Bank Login Forms John Kennedy (May 18)
- Re: Non SSL Bank Login Forms Adam Tuliper (May 19)
- http/spnego connections Adam Tuliper (May 19)
- Re: http/spnego connections Saqib Ali (May 19)
- Re: http/spnego connections Adam Tuliper (May 19)
- Re: http/spnego connections Adam Tuliper (May 19)
- Re: Non SSL Bank Login Forms Don Jackson (May 19)