WebApp Sec mailing list archives

Re: Should login pages be protected by SSL?

From: Lucas Holt <luke () foolishgames com>
Date: Thu, 30 Jun 2005 22:31:29 -0400


On Jun 27, 2005, at 12:38 PM, Saqib Ali wrote:


I have nothing against META REFRESH :) . It is just that using them
for redirecting the users from http:// to https:// is a bad bad
design. The Meta referesh tag can be intercepted, or stopped
completely. Plus, the execution of the META tags depends on the
browser, and not the server.

You would have to make sure that you put REFERESH on all the web pages
for something that can be easily done using one URL rewrite statement
on the webserver.

--In Peace,

Saqib Ali
http://www.xml-dev.com/

Wow.. using a server side redirect is not more secure than a metarefresh. Why? At first glance, the logic would be that meta refreshcould be easily changed or the behavior depends on the User Agent.But, in reality the user agent is responsible to handle the HTTPprotocol as well. That means it can interpret the redirect headerin any way it wants just like the meta refresh. Now it might beeasier for a browser plugin to get access to the HTML from the streamwith meta refresh easier in a browser than the HTTP headers. I'venever written a plugin or "toolbar" for ie so I might be off on that.

The url could be intercepted if its included in HTTP headers becausethe original request is not over the HTTPS channel regardless of metarefresh or using an http header via a "server side redirect". Ithink its a common misconception that using server side "commands" issafer. Either way the data could be intercepted and thats why SSL isso important to begin with.

That being said, using a meta refresh creates an additional delay forthe client as many have a timeout value, etc. Its cleaner tomaintain code to do the refresh server side and the data sent to theclient can be smaller. That is a good argument for using serverredirections.



Lucas Holt
Luke () FoolishGames com
________________________________________________________
FoolishGames.com  (Jewel Fan Site)
JustJournal.com (Free blogging)
FoolishGames.net (Enemy Territory IoM site)

Think PC.. in 2006 you can own an Apple PCintosh. Whats next, windowsworks?

Current thread:

RE: Should login pages be protected by SSL?, (continued)
- - RE: Should login pages be protected by SSL? bluewizard83-de4gahsh (Jun 27)
- RE: Should login pages be protected by SSL? Michael Tsentsarevsky (Jun 26)
  - Re: Should login pages be protected by SSL? Yanglei (Jun 26)
    - Re: Should login pages be protected by SSL? Michael Silk (Jun 26)
  - RE: Should login pages be protected by SSL? dave kleiman (Jun 26)
    - RE: Should login pages be protected by SSL? Lyal Collins (Jun 27)
    - RE: Should login pages be protected by SSL? dave kleiman (Jun 27)
    - Re: Should login pages be protected by SSL? warnings (Jun 28)
  - Re: Should login pages be protected by SSL? Saqib Ali (Jun 27)
    - RE: Should login pages be protected by SSL? Ernest Nelson (Jun 27)
    - Re: Should login pages be protected by SSL? Lucas Holt (Jun 30)
    - Re: Should login pages be protected by SSL? Saqib Ali (Jun 30)
- RE: Should login pages be protected by SSL? Lyal Collins (Jun 27)
- RE: Should login pages be protected by SSL? Michael Tsentsarevsky (Jun 27)
- RE: Should login pages be protected by SSL? Michael Gargiullo (Jun 27)
- RE: Should login pages be protected by SSL? Simon Zuckerbraun (Jun 28)