WebApp Sec mailing list archives
RE: Should login pages be protected by SSL?
From: "Derick Anderson" <danderson () vikus com>
Date: Tue, 21 Jun 2005 16:33:05 -0400
I don't see how SSL-protecting the login form would protect you from MITM attacks if the form is submitting to a SSL protected page.
It really doesn't, unless the web application uses the same session ID in the SSL session that it does on the unsecured page (if it in fact begins a session before authentication).
I am like you though. I think the login forms should be protected as well. If only because it helps users know what forms are and are not SSL-protected. Chris
I agree as well though my opinion may not count for much. =) Most of the sites I administer are all SSL, with a port 80 redirect to 443 on the server. It's a performance hit to be sure, but there's never a question about what part of my sites are secure. Derick Anderson.
Current thread:
- Re: Should login pages be protected by SSL?, (continued)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Torsten Mueller (Jun 21)
- RE: Should login pages be protected by SSL? Almerindo Graziano (Jun 21)
- Webapp-level protection/detection of Pharming attacks WebAppSecurity [Technicalinfo.net] (Jun 21)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Steve Shah (Jun 21)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Steve Shah (Jun 21)
- RE: Should login pages be protected by SSL? Glenn Euloth (Jun 22)
- Re: Should login pages be protected by SSL? James Barkley (Jun 23)
- Re: Should login pages be protected by SSL? Saqib Ali (Jun 23)
- Re: Should login pages be protected by SSL? Eoin Keary (Jun 24)