WebApp Sec mailing list archives

RE: Growing Bad Practice with Login Forms

From: "Thomas Schreiber" <ts () securenet de>
Date: Tue, 27 Jul 2004 16:56:43 +0200

I see a problem at the semantic level: People should be educated to look at
the unfakeable Browser Icon - and not at some promise inside the webpage -
to convince themselves that the connection is secure *before* they send
sensitive data. What if the button promises 'Secure Login' but after sending
they realized it wasn't - it's to late, the password may already have been
sniffed by some colleague on the same wire.

If people learn at websites they trust, that the browser icon *always*
indicates a secure connection before they send sensitive data, then they
will automatically behave correctly if they encounter a website where this
is not the case: they get suspicious and think twice about clicking the send
button or not.

So I second: bad practice.

Beste Gru?e
Thomas Schreiber
____________________________________________________________
SecureNet GmbH - http://www.securenet.de
+49 89/32133-610
mailto:ts () securenet de


  > -----Original Message-----
  > From: Mark Curphey [mailto:mark () curphey com]
  > Sent: Tuesday, July 27, 2004 3:56 PM
  > To:
  > Subject: Growing Bad Practice with Login Forms
  >
  >
  > I am seeing more and more sites implementing a bad practice with login
  > forms.
  >
  > To pick on a high profile site that should know better take ISACA as an
  > example.
  >
  > http://www.isaca.org/
  >
  > In the top left hand corner you will see their secure login button and a
  > graphical padlock embedded into the HTML. Of course if you look
  > at the form
  > tags, this does indeed submit the form over SSL and in the
  > process the SSL
  > handshake checks the certificate and my browser should verify that I am
  > indeed sending my password to isaca.org.
  >
  > But at that point its too late. The check for server
  > authentication is done
  > after I have sent by username and password. This IMHO is a bad
  > practice that
  > has started to creep into other sites including online banking.
  >
  > I have added the issue to the OWASP Pen Test CheckList.

Current thread:

RE: successful anonymous login, (continued)
- - - RE: successful anonymous login Jose Rivera (Jul 27)
    - Re: successful anonymous login Adam Tuliper (Jul 27)
    - RE: successful anonymous login Jose Rivera (Jul 27)
    - RE: successful anonymous login dave kleiman (Jul 27)
    - RE: successful anonymous login Yaakov Yehudi (Jul 28)
    - RE: successful anonymous login V. Poddubnyy (Jul 27)
    - Re: Growing Bad Practice with Login Forms Merlijn Tishauser (Jul 27)
    - RE: Growing Bad Practice with Login Forms Mark Curphey (Jul 27)
- Re: Growing Bad Practice with Login Forms Rogan Dawes (Jul 27)
- Re: Growing Bad Practice with Login Forms Andrew Steingruebl (Jul 27)
- RE: Growing Bad Practice with Login Forms Thomas Schreiber (Jul 27)
  - RE: Growing Bad Practice with Login Forms Yvan Boily (Jul 27)
    - Re: Growing Bad Practice with Login Forms Toro, Daniel (Jul 27)
    - Re: Growing Bad Practice with Login Forms Jason Coombs PivX Solutions (Jul 27)
    - Re: Growing Bad Practice with Login Forms Stephen de Vries (Jul 28)
    - Re: Growing Bad Practice with Login Forms Jason Coombs PivX Solutions (Jul 29)
    - Re: Growing Bad Practice with Login Forms David Wall @ Yozons, Inc. (Jul 29)
    - Re: Growing Bad Practice with Login Forms Ivan Krstic (Jul 28)
- Re: Growing Bad Practice with Login Forms Paul Johnston (Jul 28)
- RE: Growing Bad Practice with Login Forms Stan Guzik (Jul 27)
  - RE: Growing Bad Practice with Login Forms Konstantin Ryabitsev (Jul 27)

(Thread continues...)