WebApp Sec mailing list archives
RE: Growing Bad Practice with Login Forms
From: "Thomas Schreiber" <ts () securenet de>
Date: Tue, 27 Jul 2004 16:56:43 +0200
I see a problem at the semantic level: People should be educated to look at the unfakeable Browser Icon - and not at some promise inside the webpage - to convince themselves that the connection is secure *before* they send sensitive data. What if the button promises 'Secure Login' but after sending they realized it wasn't - it's to late, the password may already have been sniffed by some colleague on the same wire. If people learn at websites they trust, that the browser icon *always* indicates a secure connection before they send sensitive data, then they will automatically behave correctly if they encounter a website where this is not the case: they get suspicious and think twice about clicking the send button or not. So I second: bad practice. Beste Gru?e Thomas Schreiber ____________________________________________________________ SecureNet GmbH - http://www.securenet.de +49 89/32133-610 mailto:ts () securenet de > -----Original Message----- > From: Mark Curphey [mailto:mark () curphey com] > Sent: Tuesday, July 27, 2004 3:56 PM > To: > Subject: Growing Bad Practice with Login Forms > > > I am seeing more and more sites implementing a bad practice with login > forms. > > To pick on a high profile site that should know better take ISACA as an > example. > > http://www.isaca.org/ > > In the top left hand corner you will see their secure login button and a > graphical padlock embedded into the HTML. Of course if you look > at the form > tags, this does indeed submit the form over SSL and in the > process the SSL > handshake checks the certificate and my browser should verify that I am > indeed sending my password to isaca.org. > > But at that point its too late. The check for server > authentication is done > after I have sent by username and password. This IMHO is a bad > practice that > has started to creep into other sites including online banking. > > I have added the issue to the OWASP Pen Test CheckList.
Current thread:
- RE: successful anonymous login, (continued)
- RE: successful anonymous login Jose Rivera (Jul 27)
- Re: successful anonymous login Adam Tuliper (Jul 27)
- RE: successful anonymous login Jose Rivera (Jul 27)
- RE: successful anonymous login dave kleiman (Jul 27)
- RE: successful anonymous login Yaakov Yehudi (Jul 28)
- RE: successful anonymous login V. Poddubnyy (Jul 27)
- Re: Growing Bad Practice with Login Forms Merlijn Tishauser (Jul 27)
- RE: Growing Bad Practice with Login Forms Mark Curphey (Jul 27)
- RE: Growing Bad Practice with Login Forms Yvan Boily (Jul 27)
- Re: Growing Bad Practice with Login Forms Toro, Daniel (Jul 27)
- Re: Growing Bad Practice with Login Forms Jason Coombs PivX Solutions (Jul 27)
- Re: Growing Bad Practice with Login Forms Stephen de Vries (Jul 28)
- Re: Growing Bad Practice with Login Forms Jason Coombs PivX Solutions (Jul 29)
- Re: Growing Bad Practice with Login Forms David Wall @ Yozons, Inc. (Jul 29)
- Re: Growing Bad Practice with Login Forms Ivan Krstic (Jul 28)
- RE: Growing Bad Practice with Login Forms Konstantin Ryabitsev (Jul 27)