WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Should login pages be protected by SSL?

From: Eoin Keary <eoinkeary () gmail com>
Date: Fri, 24 Jun 2005 08:51:35 +0000
How about using forwards instead of redirects? these are server side so safer?
If a transaction is over multiple domains why not use web services and SAML.
or am i barking up the wronk tree?



On 22/06/05, Saqib Ali <docbook.xml () gmail com> wrote:

Hello Bob,

I don't totally agree with you, but here are some of my thoughts:


which IMMEDIATELY has in its root web server's directory an "index.html" file containing:
<META HTTP-EQUIV="REFRESH" CONTENT="0; URL=https://merch.domain.com";>


Using REFRESH Meta tags, are very unsecure practice, for obvious
reasons. Redirects to HTTPS should always be performed using URL
REWRITEs on the server side.


BTW, in my book (going back to being an uber-paranoidic person), it's never a good idea to have a SECURED web site 
on the same server that is representative as the company's "front door".  Basically, "www.domain.com" is Domain Web 
Site, Ink.'s "front door" (so to speak), such that if it is compromised, "merch.domain.com" doesn't loose it's data 
in the mean time.  However, because "merch.domain.com" is on a separate server, this now DOUBLES the threat of data 
loss, data theft, data contamination, integrity modification, etc.


In a secure environment NO critical data should reside on any
webserver. Everything should go in a ecrypted DB, running on a
seperate machine behind a application level firewall. If you have
secure architecture + design, HTTPS and non-HTTPS websites can safely
reside on the same server.

--
In Peace,
Saqib Ali
http://www.xml-dev.com/
Previous By Date Next
Previous By Thread Next

Current thread: