WebApp Sec mailing list archives

Re: Growing Bad Practice with Login Forms

From: Andrew Steingruebl <asteingruebl () cccis com>
Date: Tue, 27 Jul 2004 09:07:07 -0500

On Tue, Jul 27, 2004 at 09:55:33AM -0400, Mark Curphey wrote:


In the top left hand corner you will see their secure login button and a
graphical padlock embedded into the HTML. Of course if you look at the form
tags, this does indeed submit the form over SSL and in the process the SSL
handshake checks the certificate and my browser should verify that I am
indeed sending my password to isaca.org. 

But at that point its too late. The check for server authentication is done
after I have sent by username and password. This IMHO is a bad practice that
has started to creep into other sites including online banking.


I'm not sure I understand your complaint.  Yes, it does allow a site to
pretend to use encryption and then not, but the SSL handshake is done
before any data is sent to the remote server.  The server's certificate
will be verified before any other data flows between the client and
server. 

What specifically are you concerned with?

--
Andy Steingruebl

Current thread:

Re: successful anonymous login, (continued)
- - - Re: successful anonymous login Adam Tuliper (Jul 27)
    - RE: successful anonymous login Jose Rivera (Jul 27)
    - Re: successful anonymous login Adam Tuliper (Jul 27)
    - RE: successful anonymous login Jose Rivera (Jul 27)
    - RE: successful anonymous login dave kleiman (Jul 27)
    - RE: successful anonymous login Yaakov Yehudi (Jul 28)
    - RE: successful anonymous login V. Poddubnyy (Jul 27)
    - Re: Growing Bad Practice with Login Forms Merlijn Tishauser (Jul 27)
    - RE: Growing Bad Practice with Login Forms Mark Curphey (Jul 27)
- Re: Growing Bad Practice with Login Forms Rogan Dawes (Jul 27)
- Re: Growing Bad Practice with Login Forms Andrew Steingruebl (Jul 27)
- RE: Growing Bad Practice with Login Forms Thomas Schreiber (Jul 27)
  - RE: Growing Bad Practice with Login Forms Yvan Boily (Jul 27)
    - Re: Growing Bad Practice with Login Forms Toro, Daniel (Jul 27)
    - Re: Growing Bad Practice with Login Forms Jason Coombs PivX Solutions (Jul 27)
    - Re: Growing Bad Practice with Login Forms Stephen de Vries (Jul 28)
    - Re: Growing Bad Practice with Login Forms Jason Coombs PivX Solutions (Jul 29)
    - Re: Growing Bad Practice with Login Forms David Wall @ Yozons, Inc. (Jul 29)
    - Re: Growing Bad Practice with Login Forms Ivan Krstic (Jul 28)
- Re: Growing Bad Practice with Login Forms Paul Johnston (Jul 28)
- RE: Growing Bad Practice with Login Forms Stan Guzik (Jul 27)

(Thread continues...)