RE: Should login pages be protected by SSL?

[maburns () safenet-inc com]

The login page cannot be protected by SSL until after the authentication is
complete. Once the user is authenticated then all information sent between
the server and remote user is in a ssl encrypted tunnel until the session is
ended. Again the value of the token is it is a "physical device" and must be
present on the users computer for the login to be successful. SSL VPN
appliance's for secure remote access with two-factor authentication built in
are available from SafeNet and range in price from 4995 for 10 concurrent
users to 82,000 for 1000 concurrent users and come with the tokens in the
box.

-----Original Message-----
From: Mary Ann Burns 
Sent: Monday, June 20, 2005 5:04 PM
To: vanderaj () greebo net; herzbea () macs biu ac il
Cc: webappsec () securityfocus com
Subject: RE: Should login pages be protected by SSL? 


Amazon does use SSL when you are sending the transaction with your credit
card data info the browser padlock comes up and HTTP"s" confirms you are in
a SSL encrypted tunnel from your desktop to their server



-----Original Message-----
From: Andrew van der Stock [mailto:vanderaj () greebo net]
Sent: Monday, June 20, 2005 4:42 PM
To: herzbea () macs biu ac il
Cc: webappsec () securityfocus com
Subject: Re: Should login pages be protected by SSL? 

Depends on the value of the system in use.

I help develop forum software, and millions of people use forum software
without SSL every day. In fact, most forum software have a password
equivalent cookie which can lead to complete compromise from cookie
stealing, and yet most users will not give up the convenience of auto login.

OTOH, where the login leads to private data, such as your name and address,
I feel that corporations have a duty of care to protect your data under the
various privacy acts around the world. The cost of a certificate is much
less than potential litigation, or more to the point, reputation loss if
someone discovers a way around it.

However, if it's a shopping cart type of thing, like Amazon, the thing that
should be SSL is not the browsing of goods, but the transactions,
particularly the credit card and address details. The Visa/MC PCI guidelines
are quite stringent on applying reasonable controls to this data. In the
case of Amazon 1-click, then effectively the 1-click is the thing requiring
protection, so some form of control around that is also required. So if
you're allowed to browse and add items without SSL (ie you're using some
form of password analog in the cookie), then as soon as you're about to see
some private data, my view is that re-authentication and completing the
transaction over SSL should be required. Going SSL may not necessarily help
with CSRF attacks.

If the corp has COBIT requirements (ie they're using COBIT to do SOX), then
you might have better luck; grab COBIT and see what controls should have
been applied. That usually focuses their attention, particularly if the
application forms part of their financial systems.

Lastly, if SSL is not used the entire time, then the "Secure" option of the
cookie cannot be used. This is a weakening of an already weak control, but
people shouldn't throw it away to just to save a few bucks on a certificate.

Andrew

On 21/06/2005, at 2:20 AM, Amir Herzberg wrote:

> Here is a simple question: should web login forms be always protected 
> by SSL?