WebApp Sec mailing list archives
Re: Should login pages be protected by SSL? (and comment to moderator)
From: Andrew van der Stock <vanderaj () greebo net>
Date: Wed, 22 Jun 2005 00:25:05 +1000
On page two, it says for clients / card holders / admins / POS / ATM they state:
"1 Network (e.g. Internet) – must have authentication and encrypted communication to web and/or application server"
I don't think they get much clearer than that. MUST to my standards jaundiced eye means "no exceptions". AND means both authentication and encryption at the same time. So basically, I think that covers off SSL logins - in my book, Visa / MC require it for Internet websites - no exceptions.
thanks, Andrewps. On the bounces, ezmlm should remove them automatically after 5 days. But if it doesn't get better, I'll hassle the Symantec admin staff to help me as I can't always see who the bounces are.
On 22/06/2005, at 1:12 AM, Amir Herzberg wrote:
Andrew, thanks a lot! But, actually, I didn't find in this document a specific requirement to (use SSL to) authenticate the form used to request the credit card number. One may argue that the document allows an implementation that invokes SSL only to encrypt the credit card after the customer filled it in, and not to authenticate the form. Of course I do _not_ recommend this and I think this is vulnerable to many common spoofing attacks; but as I noted, there are important sites that take this approach.So if there is a specific requirement to send an authenticated page, I'll really appreciate it.Comment to moderator: sending to this list results in a crazy number of bounces... you may want to consider pruning them or even better, sending with the name of the list not of the submitter...Best, Amir
Current thread:
- Should login pages be protected by SSL? Amir Herzberg (Jun 20)
- Re: Should login pages be protected by SSL? Andrew van der Stock (Jun 20)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Andrew van der Stock (Jun 21)
- Re: Should login pages be protected by SSL? (and comment to moderator) Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? (and comment to moderator) Andrew van der Stock (Jun 21)
- Re: PCI standards & Should login pages be protected by SSL? Peter Watkins (Jun 21)
- RE: PCI standards & Should login pages be protected by SSL? Lyal Collins (Jun 22)
- Re: Should login pages be protected by SSL? (and comment to moderator) Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Andrew van der Stock (Jun 20)
- Re: Should login pages be protected by SSL? Steve Shah (Jun 21)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- [summary] Re: Should login pages be protected by SSL? Steve Shah (Jun 22)
- Re: [summary] Re: Should login pages be protected by SSL? Ole Kasper Olsen (Jun 23)
- Rephrased: Should login pages be protected by SSL - although it won'thelp most users? Amir Herzberg (Jun 23)
- Re: [summary] Re: Should login pages be protected by SSL? Devdas Bhagat (Jun 23)
- Re: [summary] Re: Should login pages be protected by SSL? Michael Silk (Jun 23)