Re: Should login pages be protected by SSL?

[Peter Watkins <peterw () usa net>]

On Mon, Jun 20, 2005 at 11:28:14PM -0700, bluewizard83-de4gahsh () yahoo com wrote:
> -- Amir Herzberg <herzbea () macs biu ac il> wrote:
> > Here is a simple question: should web login forms be always protected
> > by SSL?
>
> Let me check to see if I understand what you are asking.  Do you mean
> something like:
>
> login form at http://www.site.org/login.html with a login form that
> submits to  something like https://secure.site.org/auth.cgi?
>
> In my opinion the login form doesn't need to be protected with SSL, but
> the form MUST submit to a SSL protected page if there is any data of
> any value being transmitted.

I think Amir has a good point, though it's not always black-and-white.

> > As a crypto/security expert, my answer is yes. I think this is 
> > necessary, to protect against MITM attacks, as well as from the more 
> > common and easy phishing, pharming, and other forms of spoofing
> > attacks, 
>
> I don't see how SSL-protecting the login form would protect you from
> MITM attacks if the form is submitting to a SSL protected page.

A MITM attack would, presumably, substitute the http-served "login form"
with a lookalike that did something slightly different, perhaps something
as subtle as copy/transmit the credentials to the attacker's site *before*
allowing the victim's browser to transmit them to the https processing URL.

Lots of sites embed little username/password boxes on their http pages,
and I generally agree with Amir that those layouts are dangerous. At least
offer the users a "secure login" link that'll take them to an https URL
with a recognized & reputable domain name, etc.

On sites I'm responsible for, there's a dedicated Single Sign On app on
a single https URL -- not as quick as the username/password embedded in
the http page, but I don't have to worry so much about MITM/phishing/XSS
spoofs fooling our users into having their credentials phished.

-Peter