WebApp Sec mailing list archives
Re: Should login pages be protected by SSL?
From: Amir Herzberg <herzbea () macs biu ac il>
Date: Tue, 21 Jun 2005 17:52:08 +0200
Saqib Ali wrote:
I agree; however now this is a question of user awareness and of browser indicators of site identity and security. I agree, and even have done usability testing showing, that current browser UI provides inadequet indicators, definitely for most (naive) users. See paper in my site.Hello, In my opinion protecting the login using SSL is a good idea, and I do it myself. However it does not prevent from phishing etc. A phishing site owner can easily get a SSL protected website as well.
I agree users should install (and be encouraged to install) a browser extension providing improved security and identification UI. As an open-source research project, we develop TrustBar, currently for FireFox and soon also for IE; I'll appreciate your opinion. Download at https://addons.mozilla.org/extensions/moreinfo.php?id=478.I think a better approach is to use Netcraft Anti-Phishing toolbar < http://toolbar.netcraft.com/ >
The problem is that they go to a centralized server for all this - privacy and performance concerns, imho...It clearly displays sites' hosting location, including country, helping you to evaluate fraudulent urls (e.g. the real citibank.com or barclays.co.uk sites are unlikely to be hosted in the former Soviet Union).
TrustBar displays name/logo of site and of CA, and allows users to assign their own name/logo to the site (`petname`).
-- Best regards, Amir Herzberg Associate Professor Department of Computer Science Bar Ilan University http://AmirHerzberg.comNew: see my Hall Of Shame of Unprotected Login pages: http://AmirHerzberg.com/shame.html
Current thread:
- Re: Should login pages be protected by SSL?, (continued)
- Re: Should login pages be protected by SSL? Dave Ockwell-Jenner (Jun 22)
- Re: Should login pages be protected by SSL? Achim Hoffmann (Jun 23)
- Re: Should login pages be protected by SSL? Michael Silk (Jun 20)
- Re: Should login pages be protected by SSL? Andy bentley (Jun 20)
- RE: Should login pages be protected by SSL? Glenn Euloth (Jun 21)
- Re: Should login pages be protected by SSL? bluewizard83-de4gahsh (Jun 21)
- Re: Should login pages be protected by SSL? Peter Watkins (Jun 21)
- Re: Should login pages be protected by SSL? Kalyan Varma (Jun 21)
- Re: Should login pages be protected by SSL? Stefano Di Paola (Jun 21)
- Re: Should login pages be protected by SSL? Saqib Ali (Jun 21)
- Message not available
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Saqib Ali (Jun 21)
- Re: Should login pages be protected by SSL? Ian Rogers (Jun 21)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Achim Hoffmann (Jun 21)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Torsten Mueller (Jun 21)
- RE: Should login pages be protected by SSL? Almerindo Graziano (Jun 21)
- Webapp-level protection/detection of Pharming attacks WebAppSecurity [Technicalinfo.net] (Jun 21)