WebApp Sec mailing list archives
Summary: Growing Bad Practice with Login Forms
From: <athena () buyukada co uk>
Date: Wed, 28 Jul 2004 00:31:22 +0100 (BST)
Ok, just to round things up... There appear to be two camps on this one. In the red corner, we have the guys that say 'SSL only tells you the current page is served over SSL, not the page you're linking to. There's no guarantee the credentials are sent to an SSL server and phishing exploit of the month, XSS etc. could make a user believe that they're submitting to a secure server (as the SSL icon will appear in the status bar of most browsers) when they aren't. Therefore you should submit the credentials over SSL but not necessarily the login page itself.' In the blue corner, weighing in at 419 pounds from bankx.com.ng, the guys that say 'The user doesn't know whether or not the submission will be over SSL to a valid site or not until its too late. At least using SSL for the first page means that the application has control of where the user goes next.' A valid point that serves as an uppercut to team blue is that a user clicking a link can be sent to *any* https site, and the uneducated user will click on the link. Equally so, team red takes one in the jaw by losing the confirmation of integrity of the initial page and can also be *any* http site. Meanwhile Microsoft in the commentary box tells us that the next version of IE and XP SP2 will render all this pointless anyway. Just like real sports pundits, nobody believes them ;) The things that are in common with all of this are: Users are stupid, unpredictable, and applications would function a lot better without their interaction. We all now know that as long as the username and password themselves are sent over SSL to the correct site that the credentials themselves are safe. It is clear that user elimination^Weducation is the key here. In the same way that sites tell users to look for the padlock, they should also be told to verify the certificate before blindly accepting it, and provided with contact details *when they sign up, not when they log in* for someone to call if things go awry. It should be noted that a two-page authentication mechanism or one-time-pad will allow a user to spot attacks with either red or blue's methods - either way the SSL padlock will disappear when the user submits to the attacker's site, and as long as the user knows that they should verify the cert (and how to) then sending the initial request over http is still possible. A mix of policy, technology and ECT is in order here. Another way of fixing this is for the site to authenticate to the user. Just as when banking you may get asked for two letters from your passphrase, the application could give you two characters from it's passphrase to let you know that its the real deal. If the characters don't add up ... you're in trouble. Steve
Current thread:
- Re: Growing Bad Practice with Login Forms, (continued)
- Re: Growing Bad Practice with Login Forms Stephen de Vries (Jul 28)
- Re: Growing Bad Practice with Login Forms Jason Coombs PivX Solutions (Jul 29)
- Re: Growing Bad Practice with Login Forms David Wall @ Yozons, Inc. (Jul 29)
- Re: Growing Bad Practice with Login Forms Ivan Krstic (Jul 28)
- Re: Growing Bad Practice with Login Forms Paul Johnston (Jul 28)
- RE: Growing Bad Practice with Login Forms Stan Guzik (Jul 27)
- RE: Growing Bad Practice with Login Forms Konstantin Ryabitsev (Jul 27)
- Re: Growing Bad Practice with Login Forms Darragh O'Brien (Jul 27)
- RE: Growing Bad Practice with Login Forms Konstantin Ryabitsev (Jul 27)
- RE: Growing Bad Practice with Login Forms Lane Weast (Jul 27)
- Re: Growing Bad Practice with Login Forms Jason Coombs PivX Solutions (Jul 27)
- Summary: Growing Bad Practice with Login Forms athena (Jul 27)
- Re: Summary: Growing Bad Practice with Login Forms Ivan Andres Hernandez Puga (Jul 28)
- Re: Summary: Growing Bad Practice with Login Forms David Telfer (Jul 28)
- Re: Summary: Growing Bad Practice with Login Forms Rogan Dawes (Jul 28)
- Re: Summary: Growing Bad Practice with Login Forms athena (Jul 28)
- RE: Summary: Growing Bad Practice with Login Forms Yvan Boily (Jul 28)
- Summary: Growing Bad Practice with Login Forms athena (Jul 27)
- RE: Summary: Growing Bad Practice with Login Forms Mike Peppard (Jul 28)
- RE: Summary: Growing Bad Practice with Login Forms Herman Frederick Ebeling Jr. (Jul 28)
- Re: Summary: Growing Bad Practice with Login Forms David Wall @ Yozons, Inc. (Jul 28)
- RE: Summary: Growing Bad Practice with Login Forms Mike Peppard (Jul 29)
- Re: Summary: Growing Bad Practice with Login Forms David Wall @ Yozons, Inc. (Jul 30)