WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Should login pages be protected by SSL?

From: Achim Hoffmann <ah () securenet de>
Date: Wed, 22 Jun 2005 22:30:24 +0200 (MEST)
On Wed, 22 Jun 2005, Dave Ockwell-Jenner wrote:

!!  From a purely non-technical viewpoint: it may be a good idea for the
!! login page to be protected by SSL if for no other reason that having the
!! browser show the "padlock" symbol. It's something that non-technical,
!! non-web developer people can see and (somewhat) understand. Since they
!! are typing their password on a page, that's what many associate with -
!! "I'm not entering my password here, I don't see the padlock".

not bad in first glance
But then the secure login page uses an insecure form action=
(by design or by accident or by phishing, doesn't matter)
well, most browsers will show an alert now, but are all non-technical no-web
developers aware what really happens?
In such a case (assuming that the user is not awrae what happens, which
is not uncommon) the padlock is a fake, exactly the oposite of what it
should be.

Again, I'd vote to teach the browser developers to undoubtly inform the
user what happens, in all cases. I've the feeling that these people are more
seruity-aware than most website developers ;-)

-- Achim
Previous By Date Next
Previous By Thread Next

Current thread: