WebApp Sec mailing list archives
Re: Should login pages be protected by SSL?
From: Steve Shah <sshah () risingedge org>
Date: Mon, 20 Jun 2005 20:32:41 -0700
On Mon, Jun 20, 2005 at 05:16:46PM -0700, maburns () safenet-inc com wrote:
The login page cannot be protected by SSL until after the authentication is complete.
This is not true. You can start an SSL session at any point, including the login page itself. As Andrew said in an earlier post, this is a good practice if you're dealing with sensitive data.
Once the user is authenticated then all information sent between the server and remote user is in a ssl encrypted tunnel until the session is ended. Again the value of the token is it is a "physical device" and must be present on the users computer for the login to be successful. SSL VPN
I'm not clear on where the SSLVPN advertisement fits into this conversation, but 2-factor, SSLVPN, and the use for SSL for encrypting login pages are all independant variables. An administrator does not need SSLVPN to secure their web site. Somewhat related (but reaching) is the topic of SSL acceleration for sites that have higher volumes of SSL traffic. There are several vendors that offer this technology, Google for "ssl acceleration" for a list. -Steve -- Steve Shah sshah () RisingEdge org
Current thread:
- Re: Should login pages be protected by SSL?, (continued)
- Re: Should login pages be protected by SSL? Saqib Ali (Jun 21)
- Re: Should login pages be protected by SSL? Ian Rogers (Jun 21)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Achim Hoffmann (Jun 21)
- RE: Should login pages be protected by SSL? maburns (Jun 20)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Torsten Mueller (Jun 21)
- RE: Should login pages be protected by SSL? Almerindo Graziano (Jun 21)
- Webapp-level protection/detection of Pharming attacks WebAppSecurity [Technicalinfo.net] (Jun 21)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Steve Shah (Jun 21)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Steve Shah (Jun 21)
- RE: Should login pages be protected by SSL? Glenn Euloth (Jun 22)
- Re: Should login pages be protected by SSL? James Barkley (Jun 23)
- Re: Should login pages be protected by SSL? Saqib Ali (Jun 23)