WebApp Sec mailing list archives
Re: Should login pages be protected by SSL?
From: Torsten Mueller <torsten () archesoft de>
Date: Tue, 21 Jun 2005 17:23:44 +0200
Hello, possibly i didn't get the whole discussion, but i did read your mail. Amir Herzberg schrieb:
Yes, but Amazon does not use SSL to protect the page in your login to the (critical!) one-click mechanism, see at their site http://www.amazon.com/exec/obidos/flex-sign-in/ref=gw_bt_oc/002-2834753-6756032?opt=a&page=ordering/one-click-address-sign-in-secure.html&response=one-click-main&method=GET&return-url=one-click-main
At least you send the datas to a SSL server, as the form action is:<form action=https://www.amazon.com/exec/obidos/flex-sign-in-done/102-3033151-0316943 method=POST>
Even if the login form itself is not protected, the datas you enter and submit are protected. If you want to complain, that the login form itself isn't on a SSL protected server, o.k. you are right. But even, if it would be on a SSL protected server the form action could lead to an non SSL capable webserver. So the important part is not, from where the login form comes, but where the datas are sent. (IMO this should be checked by the client/browser.) But only my 2 cents. Torsten
Current thread:
- Re: Should login pages be protected by SSL?, (continued)
- Re: Should login pages be protected by SSL? Kalyan Varma (Jun 21)
- Re: Should login pages be protected by SSL? Stefano Di Paola (Jun 21)
- Re: Should login pages be protected by SSL? Saqib Ali (Jun 21)
- Message not available
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Saqib Ali (Jun 21)
- Re: Should login pages be protected by SSL? Ian Rogers (Jun 21)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Achim Hoffmann (Jun 21)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- RE: Should login pages be protected by SSL? maburns (Jun 20)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Torsten Mueller (Jun 21)
- RE: Should login pages be protected by SSL? Almerindo Graziano (Jun 21)
- Webapp-level protection/detection of Pharming attacks WebAppSecurity [Technicalinfo.net] (Jun 21)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Steve Shah (Jun 21)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Steve Shah (Jun 21)