WebApp Sec mailing list archives
Re: Should login pages be protected by SSL?
From: Achim Hoffmann <ah () securenet de>
Date: Wed, 22 Jun 2005 22:30:24 +0200 (MEST)
On Wed, 22 Jun 2005, Dave Ockwell-Jenner wrote: !! From a purely non-technical viewpoint: it may be a good idea for the !! login page to be protected by SSL if for no other reason that having the !! browser show the "padlock" symbol. It's something that non-technical, !! non-web developer people can see and (somewhat) understand. Since they !! are typing their password on a page, that's what many associate with - !! "I'm not entering my password here, I don't see the padlock". not bad in first glance But then the secure login page uses an insecure form action= (by design or by accident or by phishing, doesn't matter) well, most browsers will show an alert now, but are all non-technical no-web developers aware what really happens? In such a case (assuming that the user is not awrae what happens, which is not uncommon) the padlock is a fake, exactly the oposite of what it should be. Again, I'd vote to teach the browser developers to undoubtly inform the user what happens, in all cases. I've the feeling that these people are more seruity-aware than most website developers ;-) -- Achim
Current thread:
- Re: Should login pages be protected by SSL?, (continued)
- Re: Should login pages be protected by SSL? Steve Shah (Jun 21)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- [summary] Re: Should login pages be protected by SSL? Steve Shah (Jun 22)
- Re: [summary] Re: Should login pages be protected by SSL? Ole Kasper Olsen (Jun 23)
- Rephrased: Should login pages be protected by SSL - although it won'thelp most users? Amir Herzberg (Jun 23)
- Re: [summary] Re: Should login pages be protected by SSL? Devdas Bhagat (Jun 23)
- Re: [summary] Re: Should login pages be protected by SSL? Michael Silk (Jun 23)
- Re: [summary] Re: Should login pages be protected by SSL? Wolfgang Reder (Jun 24)
- Re: [summary] Re: Should login pages be protected by SSL? Michael Silk (Jun 24)
- Re: Should login pages be protected by SSL? Dave Ockwell-Jenner (Jun 22)
- Re: Should login pages be protected by SSL? Achim Hoffmann (Jun 23)
- RE: Should login pages be protected by SSL? Glenn Euloth (Jun 21)
- Re: Should login pages be protected by SSL? Peter Watkins (Jun 21)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Saqib Ali (Jun 21)