WebApp Sec mailing list archives

Growing Bad Practice with Login Forms

From: "Mark Curphey" <mark () curphey com>
Date: Tue, 27 Jul 2004 09:55:33 -0400

I am seeing more and more sites implementing a bad practice with login
forms.

To pick on a high profile site that should know better take ISACA as an
example.

http://www.isaca.org/

In the top left hand corner you will see their secure login button and a
graphical padlock embedded into the HTML. Of course if you look at the form
tags, this does indeed submit the form over SSL and in the process the SSL
handshake checks the certificate and my browser should verify that I am
indeed sending my password to isaca.org. 

But at that point its too late. The check for server authentication is done
after I have sent by username and password. This IMHO is a bad practice that
has started to creep into other sites including online banking. 

I have added the issue to the OWASP Pen Test CheckList.

Current thread:

Growing Bad Practice with Login Forms Mark Curphey (Jul 27)
- Re: Growing Bad Practice with Login Forms Konstantin Ryabitsev (Jul 27)
  - Re: Growing Bad Practice with Login Forms Rogan Dawes (Jul 27)
  - Re: Growing Bad Practice with Login Forms Devin Heitmueller (Jul 27)
    - Re: Growing Bad Practice with Login Forms Konstantin Ryabitsev (Jul 27)
    - Re: Growing Bad Practice with Login Forms Ivan Ristic (Jul 27)
    - Re: Growing Bad Practice with Login Forms David Wall @ Yozons, Inc. (Jul 27)
    - Re: Growing Bad Practice with Login Forms Jason Coombs PivX Solutions (Jul 27)
    - Re: Growing Bad Practice with Login Forms Ivan Ristic (Jul 28)
  - RE: Growing Bad Practice with Login Forms Mark Curphey (Jul 27)
    - RE: Growing Bad Practice with Login Forms Konstantin Ryabitsev (Jul 27)

(Thread continues...)