WebApp Sec mailing list archives
Re: [summary] Re: Should login pages be protected by SSL?
From: Ole Kasper Olsen <olekasper () gmail com>
Date: Thu, 23 Jun 2005 00:12:05 +0200
On Wed, 22 Jun 2005 14:35:01 +0200, Steve Shah <sshah () risingedge org> wrote:
Amir Herzberg asked the question of "should login pages be SSL encrypted". The flurry of discussion can be summerized as "Yes" with the following details:
...
2. Most people believe that a login page *should* be encrypted for web sites carrying important data. (e.g., financial, etc.)
Encryption is not the point. Authentication is. A login page will never contain sensitive data anyway and as long as the form is submitted to a secure server, the data is encrypted just fine. A problem arises when a customer is tricked into entering credentials at an a bogus site. SSL/TLS has decent capability for providing authentication, however the sad truth is (as Michael Silk noted) that a vast majority of surfers do not understand nor read certificates. People don't even look at the URL (many (probably very successful) scams just rely on a semi-decent-looking link which points to an IP address). -- mvh / Best Regards, Ole Kasper Olsen MSc Student -- NISlab / Gjøvik University College
Current thread:
- Re: Should login pages be protected by SSL?, (continued)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Andrew van der Stock (Jun 21)
- Re: Should login pages be protected by SSL? (and comment to moderator) Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? (and comment to moderator) Andrew van der Stock (Jun 21)
- Re: PCI standards & Should login pages be protected by SSL? Peter Watkins (Jun 21)
- RE: PCI standards & Should login pages be protected by SSL? Lyal Collins (Jun 22)
- Re: Should login pages be protected by SSL? (and comment to moderator) Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Steve Shah (Jun 21)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- [summary] Re: Should login pages be protected by SSL? Steve Shah (Jun 22)
- Re: [summary] Re: Should login pages be protected by SSL? Ole Kasper Olsen (Jun 23)
- Rephrased: Should login pages be protected by SSL - although it won'thelp most users? Amir Herzberg (Jun 23)
- Re: [summary] Re: Should login pages be protected by SSL? Devdas Bhagat (Jun 23)
- Re: [summary] Re: Should login pages be protected by SSL? Michael Silk (Jun 23)
- Re: [summary] Re: Should login pages be protected by SSL? Wolfgang Reder (Jun 24)
- Re: [summary] Re: Should login pages be protected by SSL? Michael Silk (Jun 24)
- Re: Should login pages be protected by SSL? Dave Ockwell-Jenner (Jun 22)
- Re: Should login pages be protected by SSL? Achim Hoffmann (Jun 23)
- RE: Should login pages be protected by SSL? Glenn Euloth (Jun 21)