Re: Growing Bad Practice with Login Forms

[Ivan Ristic <ivanr () webkreator com>]

> So, ultimately, SSL doesn't buy you anything

  I would really like to see browser manufacturers
  make changes to improve the usefulness of SSL:

  * The difference between a non-SSL and a SSL site should
    be more visible to the user. SSL-enabled connections should
    be made to look more important. The small image in the corner
    does not cut it. I would like to see a red border around the
    whole browser window. Or a red border until you explicitely
    choose to trust a site, at which point it changes to green.
    Something like that.

    Also, why not display the contents of a certificate on
    the screen at all times (e.g. organization name & address).

  * Browsers should remember the public key of a visited server,
    and compare the stored key with the key received upon
    the next visit. Just as SSH does.

  * Session cookies transmitted over an unencrypted channel
    should not be allowed over SSL. The same the other way
    round.

  * No links out of SSL should be allowed (embedded or
    proper links).

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]