WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Should login pages be protected by SSL?

From: Amir Herzberg <herzbea () macs biu ac il>
Date: Tue, 21 Jun 2005 11:53:18 +0200
maburns () safenet-inc com wrote:
> Amazon does use SSL when you are sending the transaction with your credit
> card data info the browser padlock comes up and HTTP"s" confirms you are in 
> a SSL encrypted tunnel from your desktop to their server
Yes, but Amazon does not use SSL to protect the page in your login to the (critical!) one-click mechanism, see at their site http://www.amazon.com/exec/obidos/flex-sign-in/ref=gw_bt_oc/002-2834753-6756032?opt=a&page=ordering/one-click-address-sign-in-secure.html&response=one-click-main&method=GET&return-url=one-click-main 
or a link from my `Hall of Shame of unprotected login pages`...
--
Best regards,

Amir Herzberg

Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com
New: see my Hall Of Shame of Unprotected Login pages: http://AmirHerzberg.com/shame.html
Previous By Date Next
Previous By Thread Next

Current thread: