WebApp Sec mailing list archives
Re: Should login pages be protected by SSL?
From: Eoin Keary <eoinkeary () gmail com>
Date: Fri, 24 Jun 2005 08:51:35 +0000
How about using forwards instead of redirects? these are server side so safer? If a transaction is over multiple domains why not use web services and SAML. or am i barking up the wronk tree? On 22/06/05, Saqib Ali <docbook.xml () gmail com> wrote:
Hello Bob, I don't totally agree with you, but here are some of my thoughts:which IMMEDIATELY has in its root web server's directory an "index.html" file containing: <META HTTP-EQUIV="REFRESH" CONTENT="0; URL=https://merch.domain.com">Using REFRESH Meta tags, are very unsecure practice, for obvious reasons. Redirects to HTTPS should always be performed using URL REWRITEs on the server side.BTW, in my book (going back to being an uber-paranoidic person), it's never a good idea to have a SECURED web site on the same server that is representative as the company's "front door". Basically, "www.domain.com" is Domain Web Site, Ink.'s "front door" (so to speak), such that if it is compromised, "merch.domain.com" doesn't loose it's data in the mean time. However, because "merch.domain.com" is on a separate server, this now DOUBLES the threat of data loss, data theft, data contamination, integrity modification, etc.In a secure environment NO critical data should reside on any webserver. Everything should go in a ecrypted DB, running on a seperate machine behind a application level firewall. If you have secure architecture + design, HTTPS and non-HTTPS websites can safely reside on the same server. -- In Peace, Saqib Ali http://www.xml-dev.com/
Current thread:
- Re: Should login pages be protected by SSL?, (continued)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- RE: Should login pages be protected by SSL? Cowles, Robert D. (Jun 21)
- Re: Should login pages be protected by SSL? Steve Shah (Jun 21)
- RE: Should login pages be protected by SSL? Derick Anderson (Jun 21)
- RE: Should login pages be protected by SSL? Cowles, Robert D. (Jun 21)
- RE: Should login pages be protected by SSL? Glenn Euloth (Jun 22)
- Re: Should login pages be protected by SSL? Bob Radvanovsky (Jun 22)
- Re: Should login pages be protected by SSL? James Barkley (Jun 23)
- Re: Should login pages be protected by SSL? Saqib Ali (Jun 23)
- Re: Should login pages be protected by SSL? Eoin Keary (Jun 24)
- RE: Should login pages be protected by SSL? Levenglick, Jeff (Jun 23)
- RE: Should login pages be protected by SSL? Flanagan, Kevin (Jun 23)
- RE: Should login pages be protected by SSL? Hellman, Matthew (Jun 24)
- RE: Should login pages be protected by SSL? Hellman, Matthew (Jun 24)
- RE: Should login pages be protected by SSL? Simon Zuckerbraun (Jun 25)
- RE: Should login pages be protected by SSL? bluewizard83-de4gahsh (Jun 27)
- RE: Should login pages be protected by SSL? Michael Tsentsarevsky (Jun 26)
- Re: Should login pages be protected by SSL? Yanglei (Jun 26)
- Re: Should login pages be protected by SSL? Michael Silk (Jun 26)
- RE: Should login pages be protected by SSL? dave kleiman (Jun 26)
- Re: Should login pages be protected by SSL? Yanglei (Jun 26)
(Thread continues...)