And the best quote award goes to...

["Mark Mcdonald" <m.mcdonald () cgl com au>]

"Users are stupid, unpredictable, and applications would function a lot
better without their interaction."

Priceless :)

        Mark McDonald | CGL 
                    is | web developer 


-----Original Message-----
From: athena () buyukada co uk [mailto:athena () buyukada co uk] 
Sent: Wednesday, 28 July 2004 7:31 AM
To: webappsec () lists securityfocus com
Subject: Summary: Growing Bad Practice with Login Forms


Ok, just to round things up...

There appear to be two camps on this one.

In the red corner, we have the guys that say 'SSL only tells you the
current page is served over SSL, not the page you're linking to. There's
no guarantee the credentials are sent to an SSL server and phishing
exploit of the month, XSS etc. could make a user believe that they're
submitting to a secure server (as the SSL icon will appear in the status
bar of most browsers) when they aren't. Therefore you should submit the
credentials over SSL but not necessarily the login page itself.'
In the blue corner, weighing in at 419 pounds from bankx.com.ng, the guys
that say 'The user doesn't know whether or not the submission will be over
SSL to a valid site or not until its too late. At least using SSL for the
first page means that the application has control of where the user goes
next.'
A valid point that serves as an uppercut to team blue is that a user
clicking a link can be sent to *any* https site, and the uneducated user
will click on the link.
Equally so, team red takes one in the jaw by losing the confirmation of
integrity of the initial page and can also be *any* http site.
Meanwhile Microsoft in the commentary box tells us that the next version
of IE and XP SP2 will render all this pointless anyway. Just like real
sports pundits, nobody believes them ;)
The things that are in common with all of this are:

Users are stupid, unpredictable, and applications would function a lot
better without their interaction.
We all now know that as long as the username and password themselves are
sent over SSL to the correct site that the credentials themselves are
safe.
It is clear that user elimination^Weducation is the key here. In the same
way that sites tell users to look for the padlock, they should also be
told to verify the certificate before blindly accepting it, and provided
with contact details *when they sign up, not when they log in* for someone
to call if things go awry.
It should be noted that a two-page authentication mechanism or
one-time-pad will allow a user to spot attacks with either red or blue's
methods - either way the SSL padlock will disappear when the user submits
to the attacker's site, and as long as the user knows that they should
verify the cert (and how to) then sending the initial request over http is
still possible. A mix of policy, technology and ECT is in order here.
Another way of fixing this is for the site to authenticate to the user.
Just as when banking you may get asked for two letters from your
passphrase, the application could give you two characters from it's
passphrase to let you know that its the real deal. If the characters don't
add up ... you're in trouble.
Steve



*** DISCLAIMER ****

This e-mail and any attachments to it are confidential. 
If you receive them in error, please tell us immediately and delete them. 
You must not retain, distribute, disclose or otherwise use any 
information contained in them.


Before opening or using any attachments with this e-mail you should check
them for viruses and other defects. The sender does not warrant that they
will be free from computer viruses or other defects.

*******************

*** DISCLAIMER ****

This e-mail and any attachments to it are confidential. 
If you receive them in error, please tell us immediately and delete them. 
You must not retain, distribute, disclose or otherwise use any 
information contained in them.


Before opening or using any attachments with this e-mail you should check
them for viruses and other defects. The sender does not warrant that they
will be free from computer viruses or other defects.

*******************