WebApp Sec mailing list archives
Re: Should login pages be protected by SSL?
From: Peter Watkins <peterw () usa net>
Date: Tue, 21 Jun 2005 09:04:26 -0400
On Mon, Jun 20, 2005 at 11:28:14PM -0700, bluewizard83-de4gahsh () yahoo com wrote:
-- Amir Herzberg <herzbea () macs biu ac il> wrote:Here is a simple question: should web login forms be always protected by SSL?Let me check to see if I understand what you are asking. Do you mean something like: login form at http://www.site.org/login.html with a login form that submits to something like https://secure.site.org/auth.cgi? In my opinion the login form doesn't need to be protected with SSL, but the form MUST submit to a SSL protected page if there is any data of any value being transmitted.
I think Amir has a good point, though it's not always black-and-white.
As a crypto/security expert, my answer is yes. I think this is necessary, to protect against MITM attacks, as well as from the more common and easy phishing, pharming, and other forms of spoofing attacks,I don't see how SSL-protecting the login form would protect you from MITM attacks if the form is submitting to a SSL protected page.
A MITM attack would, presumably, substitute the http-served "login form" with a lookalike that did something slightly different, perhaps something as subtle as copy/transmit the credentials to the attacker's site *before* allowing the victim's browser to transmit them to the https processing URL. Lots of sites embed little username/password boxes on their http pages, and I generally agree with Amir that those layouts are dangerous. At least offer the users a "secure login" link that'll take them to an https URL with a recognized & reputable domain name, etc. On sites I'm responsible for, there's a dedicated Single Sign On app on a single https URL -- not as quick as the username/password embedded in the http page, but I don't have to worry so much about MITM/phishing/XSS spoofs fooling our users into having their credentials phished. -Peter
Current thread:
- Re: [summary] Re: Should login pages be protected by SSL?, (continued)
- Re: [summary] Re: Should login pages be protected by SSL? Devdas Bhagat (Jun 23)
- Re: [summary] Re: Should login pages be protected by SSL? Michael Silk (Jun 23)
- Re: [summary] Re: Should login pages be protected by SSL? Wolfgang Reder (Jun 24)
- Re: [summary] Re: Should login pages be protected by SSL? Michael Silk (Jun 24)
- Re: Should login pages be protected by SSL? Dave Ockwell-Jenner (Jun 22)
- Re: Should login pages be protected by SSL? Achim Hoffmann (Jun 23)
- RE: Should login pages be protected by SSL? Glenn Euloth (Jun 21)
- Re: Should login pages be protected by SSL? Peter Watkins (Jun 21)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Saqib Ali (Jun 21)
- Re: Should login pages be protected by SSL? Ian Rogers (Jun 21)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Achim Hoffmann (Jun 21)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)