WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [summary] Re: Should login pages be protected by SSL?

From: Devdas Bhagat <devdas () dvb homelinux org>
Date: Fri, 24 Jun 2005 01:54:19 +0530
On 23/06/05 00:12 +0200, Ole Kasper Olsen wrote:

On Wed, 22 Jun 2005 14:35:01 +0200, Steve Shah <sshah () risingedge org> wrote:


Amir Herzberg asked the question of "should login pages be SSL
encrypted". The flurry of discussion can be summerized as "Yes"
with the following details:

...

2. Most people believe that a login page *should* be encrypted
   for web sites carrying important data. (e.g., financial, etc.)


Encryption is not the point. Authentication is. A login page will
never contain sensitive data anyway and as long as the form is
submitted to a secure server, the data is encrypted just fine. A
problem arises when a customer is tricked into entering credentials at
an a bogus site.


If the login form is itself protected by https, then the bar for a
phish is raised to getting a certificate for that domain. With a plain
text login page, the bar for attacking is much lower.

Raising the bar, even by a little bit, helps a lot. Burning through
expensive certificates is a lot more expensive than bulk buying domains,
or just hosting on a free site.

Devdas Bhagat
Previous By Date Next
Previous By Thread Next

Current thread: