RE: Should login pages be protected by SSL?

["Flanagan, Kevin" <Kevin.Flanagan () bmwfs com>]

Hope I've made it past the deadline for this post getting cut off.

Everyone has been addressing this from an encryption standpoint, but what
haven't seen brought up is the fact that SSL is also providing
authentication of the web server.  By "securing" that login page using SSL
and certificates, the web server is proving to you that it is who it says it
is.   If you go to amazon.com and the cert is issued for amazon.com, you
won't get any cert warnings, and you'll get a nice little lock at the bottom
of your page.  

If you are going to 10.0.0.2 and the cert is for amazon.com, you'll get a
cert warning (Grandma will typically click through this, but I on the other
hand will look a little deeper).

This helps smart people feel secure in that they are not being phished.  If
you wait until after someone puts their credentials in and clicks the login
button, it may be too late.  Your password could be compromised (unless you
view the source to figure out where your post is going to).  

SSL provides authentication of the web server AND encryption.  A two for one
deal if you will...

-Kevin


-----Original Message-----
From: Glenn Euloth [mailto:eulothg () hfx eastlink ca] 
Sent: Wednesday, June 22, 2005 8:56 AM
To: webappsec () securityfocus com
Subject: RE: Should login pages be protected by SSL?

So, what we're really saying is that the biggest hurdle to decent security
is not the technology but the education of the masses who use it.  Which
means we have to make the security totally transparent to the user or solve
the unsolvable problem of user education.

With this in mind would it make more sense to develop systems that do not
let the user choose their password?  This way, they can't use the same
password for everything they do on the web.  The only problem then is
managing the passwords.

For a geek like myself, I can figure out how to easily make use of Bruce
Schneier's Password Safe or another tool like it and ensure that I have a
different password for all my web surfing needs but grandma is going to have
a very difficult time with a setup like this.

Starts to bring me back to that old programming adage.  "Build a system that
an idiot can use and only an idiot will want to use it."

Regards, Glenn Euloth


> > > There may not be an advantage in breaking into that account but 
> > > consider that when grandmother registered at the web site she 
> > > probably picked the same userid and password and password hint as 
> > > she has at lots of other sites ..
> >
> > And SSL does nothing to mitigate that risk.
> >
> > -Steve
> >
> > --
> > Steve Shah
> > sshah () RisingEdge org
>
> SSL mitigates the risk of being able to sniff the userid/password from 
> the
unsecured wireless WAPs.