WebApp Sec mailing list archives
RE: Should login pages be protected by SSL?
From: "Hellman, Matthew" <Hellman.Matthew () principal com>
Date: Fri, 24 Jun 2005 08:12:31 -0500
What exactly is the situation we're discussing in this thread? I believe it to be sites that present a login form without using SSL, but then encrypt everything thereafter (including the actual login form data). In this context, it's hard to believe that using SSL to protect the login page itself is so "expensive" as to outweigh the advantages of using it. 1) SSL _can_ protect users from phishing and pharming, although I think everybody agrees it won't it most cases. If your users fall victim to this type of attack and you didn't at least offer the ability to validate the login page using an SSL certificate...could you be liable? 2) The "padlock" is a well understood concept to many Internet users. I'm not so sure these same people understand how their information is being protected when the login form has no padlock, but the form posts to a secure URL. Of course, I've seen some sites that fix this problem by just putting a big padlock image on the page;-) Speaking of which, I better secure this email before I forget. ___ /___\ // \\ ======= | | | | ======= IMHO, the short answer is that if you need SSL to protect the credentials and content of your site...you should also protect the login page itself. Matt -----Original Message----- From: Levenglick, Jeff [mailto:JLevenglick () fhlbatl com] Sent: Wednesday, June 22, 2005 12:05 PM To: Dave Ockwell-Jenner Cc: webappsec () securityfocus com Subject: RE: Should login pages be protected by SSL? I agree, but I can see why most places do not do this. 1) SSL on the server side eats up a lot of cpu time. Yes, this day and age there are proxy boxes,ssl off-load boxes, faster cpu's..ect, But not everybody has the money or time to upgrade. When you get thousands or millions of hits, it can make a difference. 2) Most login functions are more then just a form based login. It may look like your about to enter your info in cleartext, but a correct Page will encrypt the info and pass you to a ssl page. There are a lot of other items besides ssl that can hurt you. One quick example - cookies. A poor program could store info in the clear in a cookie and even leave it on your hard disk. Jeff -----Original Message----- From: Dave Ockwell-Jenner [mailto:doj () solar-nexus com] Sent: Wednesday, June 22, 2005 07:05 AM Cc: webappsec () securityfocus com Subject: Re: Should login pages be protected by SSL? From a purely non-technical viewpoint: it may be a good idea for the login page to be protected by SSL if for no other reason that having the browser show the "padlock" symbol. It's something that non-technical, non-web developer people can see and (somewhat) understand. Since they are typing their password on a page, that's what many associate with - "I'm not entering my password here, I don't see the padlock". Amir Herzberg wrote:
There may be some argument even in this case (privacy, tendency of users to use same passwords, ...). But this was _not_ my intent. I may
not have been clear, but I am interested in sensitive sites - financial, shopping, security (CA, DNS, SSO, Portals, etc.). As you can see in my `Hall of Shame` http://AmirHerzberg.com/shame.html, many
of these don't use SSL to authenticate the login page, only to encrypt
the password (when using a correct login page). So, the real question I'm asking: should login pages to sensitive (e.g. financial) sites be protected by SSL?
-- Dave Ockwell-Jenner Solar Nexus Solutions http://www.solar-nexus.com/ ----------------------------------------- This e-mail message is private and may contain confidential or privileged information. -----Message Disclaimer----- This e-mail message is intended only for the use of the individual or entity to which it is addressed, and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient, any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by reply email to Connect () principal com and delete or destroy all copies of the original message and attachments thereto. Email sent to or from the Principal Financial Group or any of its member companies may be retained as required by law or regulation. Nothing in this message is intended to constitute an Electronic signature for purposes of the Uniform Electronic Transactions Act (UETA) or the Electronic Signatures in Global and National Commerce Act ("E-Sign") unless a specific statement to the contrary is included in this message.
Current thread:
- Re: Should login pages be protected by SSL?, (continued)
- Re: Should login pages be protected by SSL? Steve Shah (Jun 21)
- RE: Should login pages be protected by SSL? Derick Anderson (Jun 21)
- RE: Should login pages be protected by SSL? Cowles, Robert D. (Jun 21)
- RE: Should login pages be protected by SSL? Glenn Euloth (Jun 22)
- Re: Should login pages be protected by SSL? Bob Radvanovsky (Jun 22)
- Re: Should login pages be protected by SSL? James Barkley (Jun 23)
- Re: Should login pages be protected by SSL? Saqib Ali (Jun 23)
- Re: Should login pages be protected by SSL? Eoin Keary (Jun 24)
- RE: Should login pages be protected by SSL? Levenglick, Jeff (Jun 23)
- RE: Should login pages be protected by SSL? Flanagan, Kevin (Jun 23)
- RE: Should login pages be protected by SSL? Hellman, Matthew (Jun 24)
- RE: Should login pages be protected by SSL? Hellman, Matthew (Jun 24)
- RE: Should login pages be protected by SSL? Simon Zuckerbraun (Jun 25)
- RE: Should login pages be protected by SSL? bluewizard83-de4gahsh (Jun 27)
- RE: Should login pages be protected by SSL? Michael Tsentsarevsky (Jun 26)
- Re: Should login pages be protected by SSL? Yanglei (Jun 26)
- Re: Should login pages be protected by SSL? Michael Silk (Jun 26)
- RE: Should login pages be protected by SSL? dave kleiman (Jun 26)
- RE: Should login pages be protected by SSL? Lyal Collins (Jun 27)
- RE: Should login pages be protected by SSL? dave kleiman (Jun 27)
- Re: Should login pages be protected by SSL? warnings (Jun 28)
- Re: Should login pages be protected by SSL? Yanglei (Jun 26)