WebApp Sec mailing list archives

Re: Should login pages be protected by SSL?

From: Amir Herzberg <herzbea () macs biu ac il>
Date: Wed, 22 Jun 2005 08:54:38 +0200

Saqib Ali wrote:
>>open-source research project, we develop TrustBar, currently for FireFox
>>and soon also for IE; I'll appreciate your opinion. Download at
>>https://addons.mozilla.org/extensions/moreinfo.php?id=478.
>
>
> I use Trustbar on my win and linux box. it is a nice a little utility.
> But it does NOT provide any greater functionality that the little
> "lock" icon that comes with mozilla by default. I am not really
> interested in who signed the website's certficate. I am more concerend
> with where the website is hosted and who owns the IP netblock.

Saqib, I'm glad you like TrustBar (and btw, we are testing and will soonship new version, with much improved UI - the biggest and justifiedcomplaint - and also improved functionality). However, I'm puzzled byyour comment, which is two sided:

1. You think TrustBar doesn't improve your security. I disagree.TrustBar improves protection dramatically:

1.1 For naive users (Ok, not you!), by making it much clearer when asite is unprotected, and making the identity of (protected) sites clear- by logo or at least name (possibly chosen by user, aka `petname`);current SSL just displays the URL which naive users don't dig at all(and I have usability data to support this common sense...).

1.2 But also for expert users (you!), which know to read URLs and checkfor padlock etc... since it exposes the identity of the CA (again byname or logo). There are many CAs `trusted` by browsers and I doubt youtrust all of them or that you should... In particular some CAs offer`domain validated only` certificates that do not validate the corporateidentity, just the domain - and automtically, allowing gettingcertificate for misleading domain names such as paypaI.com and otherhomographic (e.g. IDN) attacks.

2. You think knowing the owner of the IP address/block will help you.But this does not help against MITM attacks...



--
Best regards,

Amir Herzberg

Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com

New: see my Hall Of Shame of Unprotected Login pages:http://AmirHerzberg.com/shame.html

Current thread:

Re: Should login pages be protected by SSL?, (continued)
- Re: Should login pages be protected by SSL? Andy bentley (Jun 20)
  - RE: Should login pages be protected by SSL? Glenn Euloth (Jun 21)
- Re: Should login pages be protected by SSL? bluewizard83-de4gahsh (Jun 21)
  - Re: Should login pages be protected by SSL? Peter Watkins (Jun 21)
- Re: Should login pages be protected by SSL? Kalyan Varma (Jun 21)
- Re: Should login pages be protected by SSL? Stefano Di Paola (Jun 21)
- Re: Should login pages be protected by SSL? Saqib Ali (Jun 21)
- Message not available
  - Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
    - Re: Should login pages be protected by SSL? Saqib Ali (Jun 21)
    - Re: Should login pages be protected by SSL? Ian Rogers (Jun 21)
    - Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
    - Re: Should login pages be protected by SSL? Achim Hoffmann (Jun 21)
- RE: Should login pages be protected by SSL? maburns (Jun 20)
  - Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
    - Re: Should login pages be protected by SSL? Torsten Mueller (Jun 21)
    - RE: Should login pages be protected by SSL? Almerindo Graziano (Jun 21)
    - Webapp-level protection/detection of Pharming attacks WebAppSecurity [Technicalinfo.net] (Jun 21)
- RE: Should login pages be protected by SSL? maburns (Jun 20)
  - Re: Should login pages be protected by SSL? Steve Shah (Jun 21)
  - Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)

(Thread continues...)