WebApp Sec mailing list archives

Re: [summary] Re: Should login pages be protected by SSL?

From: Ole Kasper Olsen <olekasper () gmail com>
Date: Thu, 23 Jun 2005 00:12:05 +0200

On Wed, 22 Jun 2005 14:35:01 +0200, Steve Shah <sshah () risingedge org> wrote:

Amir Herzberg asked the question of "should login pages be SSL
encrypted". The flurry of discussion can be summerized as "Yes"
with the following details:

...

2. Most people believe that a login page *should* be encrypted
   for web sites carrying important data. (e.g., financial, etc.)


Encryption is not the point. Authentication is. A login page will
never contain sensitive data anyway and as long as the form is
submitted to a secure server, the data is encrypted just fine. A
problem arises when a customer is tricked into entering credentials at
an a bogus site.

SSL/TLS has decent capability for providing authentication, however
the sad truth is (as Michael Silk noted) that a vast majority of
surfers do not understand nor read certificates. People don't even
look at the URL (many (probably very successful) scams just rely on a
semi-decent-looking link which points to an IP address).

-- 
mvh / Best Regards,
Ole Kasper Olsen
MSc Student -- NISlab / Gjøvik University College

Current thread:

Re: Should login pages be protected by SSL?, (continued)
- - Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
    - Re: Should login pages be protected by SSL? Andrew van der Stock (Jun 21)
    - Re: Should login pages be protected by SSL? (and comment to moderator) Amir Herzberg (Jun 21)
    - Re: Should login pages be protected by SSL? (and comment to moderator) Andrew van der Stock (Jun 21)
    - Re: PCI standards & Should login pages be protected by SSL? Peter Watkins (Jun 21)
    - RE: PCI standards & Should login pages be protected by SSL? Lyal Collins (Jun 22)
    - Re: Should login pages be protected by SSL? (and comment to moderator) Amir Herzberg (Jun 21)
    - Re: Should login pages be protected by SSL? Steve Shah (Jun 21)
    - Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
    - [summary] Re: Should login pages be protected by SSL? Steve Shah (Jun 22)
    - Re: [summary] Re: Should login pages be protected by SSL? Ole Kasper Olsen (Jun 23)
    - Rephrased: Should login pages be protected by SSL - although it won'thelp most users? Amir Herzberg (Jun 23)
    - Re: [summary] Re: Should login pages be protected by SSL? Devdas Bhagat (Jun 23)
    - Re: [summary] Re: Should login pages be protected by SSL? Michael Silk (Jun 23)
    - Re: [summary] Re: Should login pages be protected by SSL? Wolfgang Reder (Jun 24)
    - Re: [summary] Re: Should login pages be protected by SSL? Michael Silk (Jun 24)
    - Re: Should login pages be protected by SSL? Dave Ockwell-Jenner (Jun 22)
    - Re: Should login pages be protected by SSL? Achim Hoffmann (Jun 23)
- Re: Should login pages be protected by SSL? Michael Silk (Jun 20)
- Re: Should login pages be protected by SSL? Andy bentley (Jun 20)
  - RE: Should login pages be protected by SSL? Glenn Euloth (Jun 21)

(Thread continues...)