WebApp Sec mailing list archives
Re: [summary] Re: Should login pages be protected by SSL?
From: Devdas Bhagat <devdas () dvb homelinux org>
Date: Fri, 24 Jun 2005 01:54:19 +0530
On 23/06/05 00:12 +0200, Ole Kasper Olsen wrote:
On Wed, 22 Jun 2005 14:35:01 +0200, Steve Shah <sshah () risingedge org> wrote:Amir Herzberg asked the question of "should login pages be SSL encrypted". The flurry of discussion can be summerized as "Yes" with the following details:...2. Most people believe that a login page *should* be encrypted for web sites carrying important data. (e.g., financial, etc.)Encryption is not the point. Authentication is. A login page will never contain sensitive data anyway and as long as the form is submitted to a secure server, the data is encrypted just fine. A problem arises when a customer is tricked into entering credentials at an a bogus site.
If the login form is itself protected by https, then the bar for a phish is raised to getting a certificate for that domain. With a plain text login page, the bar for attacking is much lower. Raising the bar, even by a little bit, helps a lot. Burning through expensive certificates is a lot more expensive than bulk buying domains, or just hosting on a free site. Devdas Bhagat
Current thread:
- Re: Should login pages be protected by SSL? (and comment to moderator), (continued)
- Re: Should login pages be protected by SSL? (and comment to moderator) Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? (and comment to moderator) Andrew van der Stock (Jun 21)
- Re: PCI standards & Should login pages be protected by SSL? Peter Watkins (Jun 21)
- RE: PCI standards & Should login pages be protected by SSL? Lyal Collins (Jun 22)
- Re: Should login pages be protected by SSL? (and comment to moderator) Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Steve Shah (Jun 21)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- [summary] Re: Should login pages be protected by SSL? Steve Shah (Jun 22)
- Re: [summary] Re: Should login pages be protected by SSL? Ole Kasper Olsen (Jun 23)
- Rephrased: Should login pages be protected by SSL - although it won'thelp most users? Amir Herzberg (Jun 23)
- Re: [summary] Re: Should login pages be protected by SSL? Devdas Bhagat (Jun 23)
- Re: [summary] Re: Should login pages be protected by SSL? Michael Silk (Jun 23)
- Re: [summary] Re: Should login pages be protected by SSL? Wolfgang Reder (Jun 24)
- Re: [summary] Re: Should login pages be protected by SSL? Michael Silk (Jun 24)
- Re: Should login pages be protected by SSL? Dave Ockwell-Jenner (Jun 22)
- Re: Should login pages be protected by SSL? Achim Hoffmann (Jun 23)
- RE: Should login pages be protected by SSL? Glenn Euloth (Jun 21)
- Re: Should login pages be protected by SSL? Peter Watkins (Jun 21)