WebApp Sec mailing list archives
RE: Should login pages be protected by SSL?
From: "Levenglick, Jeff" <JLevenglick () fhlbatl com>
Date: Wed, 22 Jun 2005 13:04:51 -0400
I agree, but I can see why most places do not do this. 1) SSL on the server side eats up a lot of cpu time. Yes, this day and age there are proxy boxes,ssl off-load boxes, faster cpu's..ect, But not everybody has the money or time to upgrade. When you get thousands or millions of hits, it can make a difference. 2) Most login functions are more then just a form based login. It may look like your about to enter your info in cleartext, but a correct Page will encrypt the info and pass you to a ssl page. There are a lot of other items besides ssl that can hurt you. One quick example - cookies. A poor program could store info in the clear in a cookie and even leave it on your hard disk. Jeff -----Original Message----- From: Dave Ockwell-Jenner [mailto:doj () solar-nexus com] Sent: Wednesday, June 22, 2005 07:05 AM Cc: webappsec () securityfocus com Subject: Re: Should login pages be protected by SSL? From a purely non-technical viewpoint: it may be a good idea for the login page to be protected by SSL if for no other reason that having the browser show the "padlock" symbol. It's something that non-technical, non-web developer people can see and (somewhat) understand. Since they are typing their password on a page, that's what many associate with - "I'm not entering my password here, I don't see the padlock". Amir Herzberg wrote:
There may be some argument even in this case (privacy, tendency of users to use same passwords, ...). But this was _not_ my intent. I may
not have been clear, but I am interested in sensitive sites - financial, shopping, security (CA, DNS, SSO, Portals, etc.). As you can see in my `Hall of Shame` http://AmirHerzberg.com/shame.html, many
of these don't use SSL to authenticate the login page, only to encrypt
the password (when using a correct login page). So, the real question I'm asking: should login pages to sensitive (e.g. financial) sites be protected by SSL?
-- Dave Ockwell-Jenner Solar Nexus Solutions http://www.solar-nexus.com/ ----------------------------------------- This e-mail message is private and may contain confidential or privileged information.
Current thread:
- Re: Should login pages be protected by SSL?, (continued)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- RE: Should login pages be protected by SSL? Cowles, Robert D. (Jun 21)
- Re: Should login pages be protected by SSL? Steve Shah (Jun 21)
- RE: Should login pages be protected by SSL? Derick Anderson (Jun 21)
- RE: Should login pages be protected by SSL? Cowles, Robert D. (Jun 21)
- RE: Should login pages be protected by SSL? Glenn Euloth (Jun 22)
- Re: Should login pages be protected by SSL? Bob Radvanovsky (Jun 22)
- Re: Should login pages be protected by SSL? James Barkley (Jun 23)
- Re: Should login pages be protected by SSL? Saqib Ali (Jun 23)
- Re: Should login pages be protected by SSL? Eoin Keary (Jun 24)
- RE: Should login pages be protected by SSL? Levenglick, Jeff (Jun 23)
- RE: Should login pages be protected by SSL? Flanagan, Kevin (Jun 23)
- RE: Should login pages be protected by SSL? Hellman, Matthew (Jun 24)
- RE: Should login pages be protected by SSL? Hellman, Matthew (Jun 24)
- RE: Should login pages be protected by SSL? Simon Zuckerbraun (Jun 25)
- RE: Should login pages be protected by SSL? bluewizard83-de4gahsh (Jun 27)
- RE: Should login pages be protected by SSL? Michael Tsentsarevsky (Jun 26)
- Re: Should login pages be protected by SSL? Yanglei (Jun 26)
- Re: Should login pages be protected by SSL? Michael Silk (Jun 26)
- RE: Should login pages be protected by SSL? dave kleiman (Jun 26)
- RE: Should login pages be protected by SSL? Lyal Collins (Jun 27)
- Re: Should login pages be protected by SSL? Yanglei (Jun 26)
(Thread continues...)