WebApp Sec mailing list archives
Re: Growing Bad Practice with Login Forms
From: Rogan Dawes <discard () dawes za net>
Date: Tue, 27 Jul 2004 16:18:22 +0200
Mark Curphey wrote:
I am seeing more and more sites implementing a bad practice with login forms. To pick on a high profile site that should know better take ISACA as an example. http://www.isaca.org/ In the top left hand corner you will see their secure login button and a graphical padlock embedded into the HTML. Of course if you look at the form tags, this does indeed submit the form over SSL and in the process the SSL handshake checks the certificate and my browser should verify that I amindeed sending my password to isaca.org.But at that point its too late. The check for server authentication is done after I have sent by username and password. This IMHO is a bad practice thathas started to creep into other sites including online banking.
Not so much "too late", I think. If the check fails, the username and password will not be sent, unless you accept the certificate error.
Client -------------------- Server
TCP Syn ->
<- TCP SYN/ACK
TCP ACK ->
Initiate SSL handshake ->
...
verify server cert OK
-> POST /xxxxxxx
-> username=x&password=y
<- 200 Ok
The above sequence would abort prior to the POST, with no compromise of
the credentials, IFF the certificate is incorrect.
The issue really seems to be that you have no proof that the HTML page that is displaying the form is legit. In my experience, it is very unusual for people to verify the destination of a login form by checking the source to the page.
So the page displaying the form could be completely bogus, forged, delivered through a MITM, etc, with the form destination changed to whatever the attacker chooses. That seems to be the "reason" that this is bad practice.
In my opinion (and echoing yours, I'd say), either users should be invited to click a link taking them to a secure login page, or all pages that display login boxes should be served over HTTPS.
Obviously, if your site template includes a login box, such that all pages have one, this could mean running your entire site over SSL. In such a case, it would be better to have a link to a secure login page.
Rogan -- Rogan Dawes *ALL* messages to discard () dawes za net will be dropped, and added to my blacklist. Please respond to "lists AT dawes DOT za DOT net"
Current thread:
- successful anonymous login, (continued)
- successful anonymous login Jose Rivera (Jul 27)
- Re: successful anonymous login Adam Tuliper (Jul 27)
- RE: successful anonymous login Jose Rivera (Jul 27)
- Re: successful anonymous login Adam Tuliper (Jul 27)
- RE: successful anonymous login Jose Rivera (Jul 27)
- RE: successful anonymous login dave kleiman (Jul 27)
- RE: successful anonymous login Yaakov Yehudi (Jul 28)
- RE: successful anonymous login V. Poddubnyy (Jul 27)
- Re: Growing Bad Practice with Login Forms Merlijn Tishauser (Jul 27)
- RE: Growing Bad Practice with Login Forms Mark Curphey (Jul 27)
- RE: Growing Bad Practice with Login Forms Yvan Boily (Jul 27)
- Re: Growing Bad Practice with Login Forms Toro, Daniel (Jul 27)
- Re: Growing Bad Practice with Login Forms Jason Coombs PivX Solutions (Jul 27)
- Re: Growing Bad Practice with Login Forms Stephen de Vries (Jul 28)
- Re: Growing Bad Practice with Login Forms Jason Coombs PivX Solutions (Jul 29)
- Re: Growing Bad Practice with Login Forms David Wall @ Yozons, Inc. (Jul 29)
- Re: Growing Bad Practice with Login Forms Ivan Krstic (Jul 28)